axe-ios-simulator
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the AXe CLI tool via
brew install cameroncooke/axe/axe. This installs an external binary from a third-party Homebrew repository that is not part of the pre-approved trusted vendor list. - [COMMAND_EXECUTION]: The skill is entirely centered around the execution of shell commands using the
axeutility. It provides patterns for simulating touch gestures, keyboard input, and hardware button presses on an iOS Simulator. - [DATA_EXFILTRATION]: The skill documentation includes commands for capturing sensitive data from the simulated environment, including full-screen screenshots (
axe screenshot), video recordings (axe record-video), and inspection of the entire accessibility UI tree (axe describe-ui). While these are functional requirements for simulator automation, they could be leveraged to extract sensitive information. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection (Category 8) because it passes user-provided or data-derived strings directly into interaction commands.
- Ingestion points: Labels, IDs, and text strings used in
axe tap --label,axe tap --id, andaxe typecommands. - Boundary markers: There are no boundary markers or instructions to the agent to treat input data as untrusted or to ignore embedded instructions.
- Capability inventory: The skill allows for arbitrary command execution, file writing (screenshots/video), and detailed UI inspection.
- Sanitization: There is no evidence of input validation or sanitization before passing parameters to the shell commands.
Audit Metadata