opencli
Fail
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
openclicommand-line tool via subprocess calls to interact with web services and automate browser actions. - [REMOTE_CODE_EXECUTION]: The skill features a 'CLI Hub' capability that can automatically download and install missing third-party CLI tools (e.g., executing
brew install gh) when a registered command is used, which constitutes a form of remote code execution or dynamic software installation. - [DATA_EXFILTRATION]: The tool is designed to access and reuse the user's active, authenticated browser sessions for over 80 sites, including Twitter, Reddit, and LinkedIn. This allows the agent to read private data such as notifications and bookmarks. The skill attempts to mitigate risk via a 'Security Policy' that instructs the agent to avoid sensitive sites like banking or email, but this is a procedural guideline rather than a technical sandbox.
- [DYNAMIC_EXECUTION]: Through the
opencli operate evalcommand, the skill allows the execution of arbitrary JavaScript code directly within the browser's context. This capability can be used to extract sensitive information from the DOM or perform actions that bypass standard UI constraints. - [EXTERNAL_DOWNLOADS]: The installation process requires the user to globally install an NPM package (
@jackwener/opencli) and a Chrome extension from a third-party GitHub repository, introducing potential supply chain risks. - [PROMPT_INJECTION]: The skill has a large attack surface for indirect prompt injection because it is designed to scrape and process content from a wide variety of external websites. The skill includes specific instruction-based 'Critical Rules' to prevent the agent from following malicious links or tokens found in scraped content, which serves as a basic boundary marker.
Recommendations
- AI detected serious security threats
Audit Metadata