orca-cli
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill acts as an ingestion point for untrusted data from external sources, making it vulnerable to indirect prompt injection attacks where content from web pages or terminal streams influences agent behavior.
- Ingestion points: External content enters the agent context through
orca snapshot(browser content),terminal read(process output), andorca console(log data). - Boundary markers: The skill instructions do not specify any delimiters or ignore-instructions to isolate untrusted content from systemic instructions.
- Capability inventory: The skill provides a high level of control, including shell command injection via
terminal sendand worktree manipulation viaworktree rm. - Sanitization: No sanitization or validation logic is defined for the data retrieved from the browser or terminals before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill provides high-privilege automation capabilities that increase the potential impact of an injection. The
orca eval --expressioncommand allows for arbitrary JavaScript execution within the browser context, andorca terminal create --commandallows for the launching of arbitrary shell commands.
Audit Metadata