tauri-agent-control
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High susceptibility to Indirect Prompt Injection. The skill retrieves UI text from the Tauri app via the /snapshot endpoint. If the app displays untrusted content (e.g., in a chat or webview), an attacker can embed instructions that the agent may follow as if they were system constraints.\n
- Ingestion points: SKILL.md and references/snapshot-refs.md (snapshot endpoint retrieves all element text into the agent context).\n
- Capability inventory: /download (file write), /eval (dynamic code execution), /click (UI interaction), /network/route (request interception).\n
- Boundary markers: Absent; the documentation does not suggest using delimiters or instructing the agent to ignore instructions embedded in the UI snapshots.\n- [EXTERNAL_DOWNLOADS] (HIGH): The /download endpoint in references/advanced.md allows the agent to fetch any URL and save it to a local path specified by the agent. This facilitates remote file writing on the host system, which could be used to drop malicious scripts or binaries.\n- [COMMAND_EXECUTION] (MEDIUM): The /eval endpoint allows arbitrary JavaScript execution within the Tauri webview. While technically limited to the browser context, this allows the agent to bypass UI security or interact with sensitive application logic and data.\n- [DATA_EXFILTRATION] (MEDIUM): The skill provides direct methods to extract sensitive session data, including cookies, localStorage, and visual screenshots of the desktop app (references/storage-state.md, SKILL.md). In an adversarial scenario, an agent could be manipulated via prompt injection to send this data to an external server.
Recommendations
- AI detected serious security threats
Audit Metadata