skills/ninehills/skills/oracle/Gen Agent Trust Hub

oracle

Fail

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to execute npx -y @steipete/oracle, which downloads and runs a third-party package from the NPM registry during execution.
  • [DATA_EXFILTRATION]: The skill features a --copy-profile capability targeting sensitive browser data in ~/Library/Application Support/Google/Chrome. It explicitly describes copying the profile and using the system Keychain to decrypt session cookies, which poses a high risk of session hijacking or unauthorized access to the user's web accounts.
  • [CREDENTIALS_UNSAFE]: The documentation provides examples of fetching API keys using the 1Password CLI (op item get ... --reveal) and injecting them into the environment, which could expose sensitive credentials to the tool's process.
  • [COMMAND_EXECUTION]: The skill includes a command to run a server (oracle serve --host 0.0.0.0) that listens on all network interfaces, potentially allowing remote entities to interact with the host machine.
  • [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection.
  • Ingestion points: Arbitrary repository files and directories included via the --file parameter in SKILL.md.
  • Boundary markers: None; there are no delimiters or instructions to treat attached file content as data rather than instructions.
  • Capability inventory: Accesses browser sessions and cookies, executes remote packages via npx, and performs network operations.
  • Sanitization: None; the tool bundles local file content directly for LLM processing without filtering or validation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 4, 2026, 04:21 PM
Security Audit — agent-trust-hub — oracle