DeepDive — Autonomous OSINT Investigation Tool

Shell command execution function detected

subprocess.run

Shell command execution function detected

subprocess.run

Shell command execution function detected

subprocess.Popen

The skill automatically clones an external GitHub repository and installs its dependencies via `pip install -r requirements.txt` on first run. A compromise of the upstream repository or the associated user account could lead to the execution of arbitrary malicious code on the user's system.

subprocess.run(['git', 'clone', 'https://github.com/Sinndarkblade/deepdive', install_dir], check=True)
subprocess.run([sys.executable, '-m', 'pip', 'install', '-r', os.path.join(install_dir, 'requirements.txt')], check=True)

The skill generates a local HTML file (`board_3d.html`) and then opens it using `xdg-open` (or equivalent). If the `build_board` function (from the external, potentially compromised, repository) injects malicious JavaScript into this HTML, it could lead to client-side attacks in the user's browser context, including local file access or data exfiltration.

build_board(graph, board_path, 'Investigation: ' + subject, mode='skill')
subprocess.Popen(['xdg-open', board_path], ...)

The investigation directory path is constructed using user-provided input (`subject`). While some sanitization (`replace(' ', '_')`) is present, insufficient validation of `subject` could allow path traversal characters (e.g., `../`) to create directories outside the intended `~/deepdive/investigations` path, potentially leading to resource abuse or unintended file placement.

inv_dir = os.path.join(DEEPDIVE_ROOT, 'investigations', subject.lower().replace(' ', '_'))

The skill automatically clones and executes code from a GitHub repository (Sinndarkblade/deepdive) without any integrity verification (no hash checking, no signature verification, no pinned commit). This allows the repository owner or anyone who compromises it to execute arbitrary code on the agent's host system.

subprocess.run(['git', 'clone', 'https://github.com/Sinndarkblade/deepdive', install_dir], check=True)

After cloning the unverified repository, the skill installs all packages listed in requirements.txt without any version pinning or hash verification. This enables arbitrary package installation and code execution under the agent's privileges.

subprocess.run([sys.executable, '-m', 'pip', 'install', '-r', os.path.join(install_dir, 'requirements.txt')], check=True)

The skill inserts externally-cloned directories into sys.path and imports modules directly from them (graph, build_board). This means attacker-controlled Python modules are loaded and executed within the agent's process space.

sys.path.insert(0, os.path.join(DEEPDIVE_ROOT, 'core'))
sys.path.insert(0, os.path.join(DEEPDIVE_ROOT, 'server'))
sys.path.insert(0, os.path.join(DEEPDIVE_ROOT, 'src'))
from graph import InvestigationGraph, Entity, Connection
from build_board import build_board

The skill uses subprocess.Popen to automatically open generated HTML files and launch a local web server (python3 server/app.py). This constitutes unsupervised process spawning that could be leveraged to execute attacker-supplied code or open malicious content in a browser.

subprocess.Popen(['xdg-open', board_path], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

The skill instructs running 'python3 server/app.py' which starts a local HTTP server on port 8766. This opens a network listener on the host machine without explicit user confirmation, potentially exposing the host to network-based attacks.

cd ~/deepdive && python3 server/app.py
Then open http://localhost:8766/board

The GitHub repository (github.com/Sinndarkblade/deepdive) is from an account with a name suggesting adversarial intent ('Sinndarkblade'). There is no code review, no verification of repository authenticity, and no fallback if the repository is unavailable or has been taken over.

https://github.com/Sinndarkblade/deepdive

The skill is described as an OSINT/investigation tool but actually performs system-level operations including git cloning, pip installation, sys.path manipulation, subprocess spawning, and file system modifications. These capabilities far exceed what a typical 'search and graph' OSINT tool would require.

description: Autonomous OSINT investigation tool [...] subprocess.run(['git', 'clone', ...]) [...] subprocess.run([sys.executable, '-m', 'pip', 'install', ...])

The skill is explicitly designed to autonomously clone a repository, install Python packages, modify sys.path, and execute code without any user approval step. The description frames this as a feature ('auto-installs'), bypassing human-in-the-loop controls.

This skill auto-installs the full DeepDive application from GitHub on first run. [...] if not DEEPDIVE_ROOT: print("DeepDive not found — installing from GitHub...")

The skill is designed to 'expand exponentially through cross-links' and includes an auto-expand command that continuously investigates the most connected uninvestigated node. There are no rate limits, depth limits, or stopping conditions defined, enabling unbounded resource consumption via web searches and graph expansion.

expands exponentially through cross-links [...] /deepdive expand — Auto-expand the most connected uninvestigated node [...] Extract everything. If a result mentions 15 names, extract all 15. Every node is a potential expansion point.