skills/oldwinter/skills/orca-cli/Gen Agent Trust Hub

orca-cli

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection due to its core functionality.
  • Ingestion points: Untrusted data enters the agent context through orca terminal read, orca snapshot (browser accessibility tree), orca cookie get, and various data extraction commands such as orca exec --command "get text ...".
  • Boundary markers: The instructions do not provide or mandate the use of delimiters (e.g., XML tags or triple quotes) or explicit system-level warnings to ignore instructions embedded within the data retrieved from terminals or the browser.
  • Capability inventory: The skill provides high-privilege capabilities that can be triggered by processed data, including sending input to terminals (orca terminal send), creating persistent scheduled tasks (orca automations create), and executing arbitrary JavaScript in the browser context (orca eval).
  • Sanitization: There are no instructions or mechanisms for sanitizing, escaping, or validating external content before it is processed or used to influence subsequent agent actions.
  • [COMMAND_EXECUTION]: The skill is centered around executing the orca CLI tool to perform system-level operations.
  • Evidence: Extensive use of orca worktree, orca terminal, and orca automations commands which manage local files, processes, and persistence. While these are the intended purpose of the skill, they represent a powerful execution surface if the agent is misled by malicious input.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 12:29 AM
Security Audit — agent-trust-hub — orca-cli