multi-ai-research

Fail

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the user to install the '@jackwener/opencli' package globally from NPM. This is an unverified third-party dependency from a source not included in any trusted vendor lists.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute 'opencli' and 'twitter' commands. These commands are constructed using dynamic string interpolation (e.g., 'opencli grok ask "{{PROMPT}}"') based on user-supplied research questions. This pattern is vulnerable to command injection if the input contains shell metacharacters such as backticks or semicolons.
  • [DATA_EXFILTRATION]: The skill explicitly sends internal data summaries, research context, and metadata like file paths and database locations (as seen in Phase 2 templates) to external AI services including Grok and Gemini. This represents a flow of internal environment information to non-whitelisted external domains.
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). Ingestion points: Data is ingested from the outputs of 'opencli' (Grok/Gemini) and 'twitter' CLI tools. Boundary markers: There are no explicit delimiters or system-level instructions to ignore embedded commands within the fetched external content. Capability inventory: The skill can execute Bash commands, write files (artifacts), and spawn multiple sub-agents. Sanitization: No evidence of filtering, escaping, or validation was found for the external content before it is used to generate final action items and recommendations.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 19, 2026, 03:58 PM
Security Audit — agent-trust-hub — multi-ai-research