orca-cli
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection due to its core functionality.
- Ingestion points: Untrusted data enters the agent context through
orca terminal read,orca snapshot(browser accessibility tree),orca cookie get, and various data extraction commands such asorca exec --command "get text ...". - Boundary markers: The instructions do not provide or mandate the use of delimiters (e.g., XML tags or triple quotes) or explicit system-level warnings to ignore instructions embedded within the data retrieved from terminals or the browser.
- Capability inventory: The skill provides high-privilege capabilities that can be triggered by processed data, including sending input to terminals (
orca terminal send), creating persistent scheduled tasks (orca automations create), and executing arbitrary JavaScript in the browser context (orca eval). - Sanitization: There are no instructions or mechanisms for sanitizing, escaping, or validating external content before it is processed or used to influence subsequent agent actions.
- [COMMAND_EXECUTION]: The skill is centered around executing the
orcaCLI tool to perform system-level operations. - Evidence: Extensive use of
orca worktree,orca terminal, andorca automationscommands which manage local files, processes, and persistence. While these are the intended purpose of the skill, they represent a powerful execution surface if the agent is misled by malicious input.
Audit Metadata