The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill implements a ComputerUseAgent class and AnthropicComputerUse class that use pyautogui and subprocess to perform system-level actions.
Evidence: pyautogui.click(), pyautogui.typewrite(), and subprocess.run(["scrot", ...]) are used to interact with the OS.
Risk: An attacker can use Indirect Prompt Injection to force the agent to type malicious commands or click destructive UI elements.
DATA_EXFILTRATION (HIGH): The capture_screenshot method captures the entire screen state and encodes it as Base64 to be sent to an LLM provider.
Evidence: pyautogui.screenshot() in SKILL.md.
Risk: Sensitive information visible on the screen (passwords in terminal, private emails, etc.) is automatically exposed to the model and potentially logged by the service provider.
REMOTE_CODE_EXECUTION (HIGH): The skill explicitly defines a bash tool (BetaToolBash20241022) designed to run shell commands as requested by the AI.
Evidence: self._handle_bash(input) in AnthropicComputerUse class.
Risk: This provides a direct path for an AI to execute arbitrary code on the system or inside the container.
INDIRECT PROMPT INJECTION (HIGH): This skill is a prime target for Category 8 attacks.
Ingestion points: Screen captures of third-party applications or web browsers.
Capability inventory: Full GUI control (mouse/keyboard) and shell access via bash tool.
Sanitization: None provided; the model acts directly on visual reasoning.
Risk: If the agent "sees" a malicious instruction on a website (e.g., "Open terminal and run rm -rf /"), it may execute it.

computer-use-agents