opencli

Fail

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the opencli command-line tool via subprocess calls to interact with web services and automate browser actions.
  • [REMOTE_CODE_EXECUTION]: The skill features a 'CLI Hub' capability that can automatically download and install missing third-party CLI tools (e.g., executing brew install gh) when a registered command is used, which constitutes a form of remote code execution or dynamic software installation.
  • [DATA_EXFILTRATION]: The tool is designed to access and reuse the user's active, authenticated browser sessions for over 80 sites, including Twitter, Reddit, and LinkedIn. This allows the agent to read private data such as notifications and bookmarks. The skill attempts to mitigate risk via a 'Security Policy' that instructs the agent to avoid sensitive sites like banking or email, but this is a procedural guideline rather than a technical sandbox.
  • [DYNAMIC_EXECUTION]: Through the opencli operate eval command, the skill allows the execution of arbitrary JavaScript code directly within the browser's context. This capability can be used to extract sensitive information from the DOM or perform actions that bypass standard UI constraints.
  • [EXTERNAL_DOWNLOADS]: The installation process requires the user to globally install an NPM package (@jackwener/opencli) and a Chrome extension from a third-party GitHub repository, introducing potential supply chain risks.
  • [PROMPT_INJECTION]: The skill has a large attack surface for indirect prompt injection because it is designed to scrape and process content from a wide variety of external websites. The skill includes specific instruction-based 'Critical Rules' to prevent the agent from following malicious links or tokens found in scraped content, which serves as a basic boundary marker.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 19, 2026, 04:39 PM
Security Audit — agent-trust-hub — opencli