Back to skill

Security audit

opencli

Security checks across malware telemetry and agentic risk

Overview

This skill is useful but needs review because it can use logged-in browser sessions to read private account content, perform account actions, automate unsupported sites, and persist new site automations.

Install only if you are comfortable letting the agent use accounts already logged in through Chrome. Prefer a separate browser profile or dedicated accounts, keep sensitive services logged out, require explicit confirmation before any post, reply, like, delete, check-in, private-message read, or Playwright fallback, and periodically inspect or remove generated files under ~/.opencli/clis. VirusTotal was pending, so this verdict is based on the artifact evidence and scanner context, not malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s documented behavior materially expands from a CLI wrapper into direct browser automation against authenticated sessions, including reading messages and performing writes on behalf of the user. This creates a capability mismatch: callers may invoke the skill expecting constrained opencli behavior, while the skill can silently escalate to Playwright-driven access to private account content and actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The self-extension section allows the skill to generate or manually author new site definitions and scrape arbitrary sites by exploring DOM structure and writing YAML under the user environment. That effectively turns a site-specific helper into a general-purpose authenticated web scraping/automation framework, greatly increasing scope and enabling unreviewed capability expansion beyond what the manifest communicates.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill's activation guidance is broad enough that an agent may invoke opencli for loosely related browsing/search requests without clearly establishing user intent, target platform, or whether access to the user's logged-in session is appropriate. Because the tool operates through existing authenticated Chrome sessions, over-triggering can expose private timelines, messages, watchlists, history, or other account-scoped data and may also lead to unintended account actions on supported platforms.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README emphasizes the convenience of reusing Chrome login sessions but does not clearly warn that even read/search operations may access sensitive authenticated data tied to the user's accounts. In this skill context, that omission is especially dangerous because the supported commands include personal timelines, bookmarks, watchlists, history, and potentially messages, so users may authorize the skill without understanding the privacy and account-bound data exposure involved.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language is extremely broad and overlaps with common browsing, searching, reading messages, and posting requests across many platforms. Broad triggers increase the chance of unintentional invocation in sensitive contexts, causing the agent to act on authenticated sessions or private content when the user did not specifically request this high-privilege skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These commands perform live account-affecting actions such as posting, replying, liking, and deleting content via the user's authenticated browser session, but the reference gives no caution that they mutate state. In an agent setting, missing warnings increases the chance of unintended social actions, reputation damage, or irreversible deletion triggered by ambiguous user requests or agent misinterpretation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented daily sign-in/reward claim performs a live account operation and can trigger automated engagement behavior on behalf of the user, yet it is presented like a normal read command. In a skill that uses the user's Chrome login session, this can lead to silent state changes, unexpected account activity, or policy/compliance issues if invoked without clear consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.