ClawHub

opencli-agent

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives an agent broad power over logged-in web accounts, local desktop apps, plugins, and external CLI tools.

Install only if you intend to let an agent operate real logged-in accounts through Chrome and potentially interact with local apps and CLI tools. Use a dedicated browser profile or low-risk accounts, verify OpenCLI and its extension source, avoid plugin/auto-install and external CLI proxy features unless explicitly needed, and require manual confirmation before posts, deletes, follows, blocks, downloads, desktop-app messages, or any software installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill expands from website/service automation into desktop-application control (`cursor`, `chatgpt`, `notion`), which materially broadens the authority exposed to the agent. This increases the chance of unintended interaction with local apps, sensitive workspace content, or cross-application actions that users did not expect from a web-automation skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Allowing OpenCLI to proxy and auto-install external CLI tools creates an open-ended execution path beyond the declared skill purpose. This can result in arbitrary tool installation and command execution, substantially increasing supply-chain, privilege, and unintended-action risk if triggered by a prompt or ambiguous user request.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The reference expands the skill from website/service automation into code generation, local CLI registration, and plugin installation, which materially broadens execution authority beyond the declared purpose. In an agent setting, this creates a capability-smuggling risk where users or downstream components may rely on the docs to invoke privileged behaviors not justified by the skill scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Documenting `opencli plugin install github:user/repo` enables retrieval and installation of untrusted third-party code from arbitrary repositories, which is far beyond normal site automation. In an agent workflow, this can become a direct path to arbitrary code execution or persistence via malicious plugins.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Commands to `explore` sites and `synthesize` adapters imply automated discovery and code generation for unsupported targets, extending the skill into dynamic capability creation. That increases risk because an agent can be induced to generate or use new integration code outside review and outside the manifest's stated purpose.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Proxying arbitrary local CLIs and auto-installing missing tools via the system package manager effectively turns this skill into a general command-execution and software-installation surface. That is a severe expansion of privilege relative to social/web automation and can lead to arbitrary code execution, unauthorized system changes, and supply-chain compromise.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill advertises desktop-application control commands such as sending messages to Cursor or ChatGPT desktop and searching Notion, which exceed the stated scope of website/online-service automation. This scope expansion increases the chance of unintended invocation against local applications and could cause actions in trusted desktop contexts without clear user expectations or consent boundaries.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill explicitly states that OpenCLI can proxy and auto-install external CLI tools, including commands like `opencli gh pr list` and `opencli docker ps`, which materially expands capability from website automation to arbitrary local command execution via third-party tooling. Auto-installation and delegation to external CLIs can introduce supply-chain risk, unexpected privilege use, and execution of commands outside the user’s intended trust boundary.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented capability set materially exceeds the skill's stated purpose of automating interactions with websites and online services. Desktop app control, community plugin installation, local CLI registration/proxying, and package-manager auto-installation expand the trust boundary from remote-service automation into arbitrary local system and application access, which can enable unintended code execution or sensitive-data access if invoked by an agent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The External CLI Hub allows the skill to proxy locally installed tools and even auto-install missing ones via the system package manager. In an agent setting, this effectively turns a web-automation skill into a general local command execution and software installation surface, creating risk of privilege misuse, host modification, and access to unrelated credentials or repositories.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Desktop application control via CDP is broader and more sensitive than ordinary website automation because it can interact with locally running apps such as Cursor, ChatGPT desktop, Notion, and Discord. In this skill context, that mismatch increases the chance that an agent can send content into local applications or access user workspace context unrelated to the user's requested web-service task.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Plugin installation plus site exploration, synthesis, and adapter/code generation extend the tool from using known service integrations to dynamically adding new execution paths and generated code. That broadens attack surface and can introduce unreviewed third-party code or unsafe generated adapters beyond what users would expect from a simple service-automation skill.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description is very broad (`opencli 支持的任何网络服务自动化`), making accidental or overly permissive invocation more likely. In an agent setting, broad activation criteria can cause the skill to handle requests outside the user's intended scope, including sensitive actions on third-party services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation includes high-impact state-changing actions such as posting, replying, liking, following, blocking, deleting, and downloading without requiring explicit confirmation or warning. In an agent workflow, this can lead to irreversible or reputation-affecting actions being executed directly against logged-in accounts through reused browser sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Documenting automatic installation of external CLI tools without strong warnings normalizes behavior that can fetch and run additional software in the user's environment. This is dangerous because it combines hidden dependency acquisition with agent-driven execution, increasing supply-chain and host-compromise risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation lists account-impacting operations such as posting, deletion, follow/unfollow, block/unblock, and DM replies without highlighting that they alter user accounts or may be irreversible. In an agent context, missing warnings increase the chance of accidental destructive or reputation-impacting actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Desktop app control commands can inject messages or queries into external applications such as Cursor, ChatGPT desktop, and Discord, but the docs do not warn that this may transmit sensitive local context or trigger side effects in those apps. In a chained-agent setting, this can be used for prompt injection relay, exfiltration, or unintended communication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Stating that missing tools are auto-installed via the system package manager without a safety warning normalizes silent software installation and system modification. This is dangerous because package installation can change the environment, pull in unreviewed dependencies, and create a supply-chain risk.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger description is extremely broad, covering essentially any command-line automation for any service supported by opencli. Overbroad trigger conditions can cause the skill to activate in situations the user did not intend, increasing the likelihood of unintended web actions, account interactions, or downloads under an existing browser session.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill includes numerous write and destructive operations—posting, replying, liking, following, blocking, deleting, commenting—without explicit warnings or mandatory confirmation guidance. In the context of reused authenticated browser sessions, accidental or ambiguous prompts could lead to irreversible social-media actions, reputation damage, or account misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill emphasizes that OpenCLI reuses Chrome login sessions but does not clearly warn about the privacy and security implications of acting through already-authenticated accounts. This context makes the skill more dangerous because commands may inherit broad account access and perform sensitive reads or writes without the user understanding that their browser session is being leveraged.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference advertises state-changing actions such as posting, replying, deleting, blocking, following, and software auto-installation without documenting confirmation requirements, account-impact warnings, or system-change implications. In an agent-operated context, omission of these safeguards can lead to accidental destructive actions, reputational harm, account misuse, or host changes the user did not clearly authorize.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal