ov-resources

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by ingesting untrusted data from external sources (URLs, Git repositories) via the ov add-resource command.
  • Ingestion points: External URLs and Git repositories processed through ov add-resource (docs/add-resource.md).
  • Boundary markers: None identified in the provided documentation or examples to separate ingested content from agent instructions.
  • Capability inventory: The skill allows file modification (ov write), deletion (ov rm), and persistent background tasks (ov task watch) as detailed in docs/filesystem.md and docs/watch-management.md.
  • Sanitization: No evidence of content sanitization or validation before processing by the agent.
  • [EXTERNAL_DOWNLOADS]: The ov add-resource command explicitly supports fetching resources from remote URLs and cloning Git repositories, including those from untrusted third-party sources.
  • [COMMAND_EXECUTION]: The skill provides the agent with the ability to execute a wide range of CLI commands, including destructive operations like recursive removal (ov rm --recursive) and file overwriting (ov write).
  • [DATA_EXFILTRATION]: The resource management capabilities allow the agent to read, search, and export data. While intended for context management, these tools can access local filesystem paths and package content into archives (ov export), which constitutes a data exposure surface.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 10:43 AM
Security Audit — agent-trust-hub — ov-resources