openshell-cli
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents the
openshell doctor execcommand, which allows users to execute arbitrary shell commands inside the gateway container environment for diagnostic and administrative purposes. - [DATA_EXFILTRATION]: The instructions reference the use of local sensitive files, such as SSH private keys (
~/.ssh/id_rsa), which are required for the standard workflow of provisioning and managing remote gateways. - [PROMPT_INJECTION]: The skill describes a process for monitoring sandbox logs (
openshell logs) to observe denied network actions and refine policies. This introduces a surface where untrusted data from the sandbox environment is ingested into the agent's context. - Ingestion points: Untrusted log content is read via the
openshell logscommand as part of the policy iteration workflow in SKILL.md. - Boundary markers: The documentation does not implement specific boundary markers or instructions to ignore potential commands embedded in logs.
- Capability inventory: The agent has access to CLI tools for infrastructure management, command execution, and policy updates.
- Sanitization: There is no description of sanitizing or validating log output before processing.
Audit Metadata