Skills
skills/cklxx/elephant.ai/desktop-automation/Gen Agent Trust Hub

desktop-automation

Warn

Audited by Gen Agent Trust Hub on Mar 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The run_script function in run.py executes arbitrary strings as AppleScript using subprocess.run(["osascript", "-e", script]). This allows the agent to interact with and control the macOS desktop environment, including reading information from other applications.
  • [COMMAND_EXECUTION]: The open_app function in run.py uses f-string interpolation to construct AppleScript commands: f'tell application "{app}" to activate'. This pattern is vulnerable to injection if the application name contains escaped characters or AppleScript control sequences.
  • [PROMPT_INJECTION]: The skill provides a mechanism for indirect prompt injection by processing untrusted data (script content and application names) and executing it with system-level capabilities.
  • Ingestion points: The skill accepts a 'script' string and an 'app' name via CLI arguments parsed in run.py.
  • Boundary markers: None; there are no delimiters or warnings provided to the agent to ignore instructions embedded in the processed data.
  • Capability inventory: The skill uses subprocess.run to execute the osascript binary, which can control nearly any aspect of the macOS GUI and installed applications.
  • Sanitization: No validation, escaping, or sanitization is performed on the user-provided script or application strings before they are passed to the system shell.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 24, 2026, 04:08 AM