computer-use-agents
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill implements
pyautoguifor mouse and keyboard control. This allows the agent to interact with any GUI element, effectively granting it the ability to perform any user action, including opening terminals or modifying system settings. - [REMOTE_CODE_EXECUTION] (HIGH): The Anthropic tool implementation includes
BetaToolBash20241022, which explicitly enables the execution of arbitrary bash commands. This is a critical capability that can be abused to run malicious scripts if the agent is compromised. - [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted external data with high-privilege capabilities.
- Ingestion points: Screen captures via
pyautogui.screenshot()andscrotcommand inSKILL.md. - Boundary markers: Absent. The agent processes the entire visual field as context without delimiters to distinguish between system instructions and untrusted content on the screen.
- Capability inventory: GUI automation (
pyautogui), arbitrary shell execution (bashtool), and file modification (str_replace_editor) as seen in the Python implementation inSKILL.md. - Sanitization: None. The skill lacks any mechanism to sanitize or validate the content of the screenshots before the vision model plans actions based on them.
- [EXTERNAL_DOWNLOADS] (LOW): The Dockerfile and Python code reference standard packages and utilities (
anthropic,pyautogui,xvfb,scrot). While these are external dependencies, they are well-known and consistent with the skill's stated purpose.
Recommendations
- AI detected serious security threats
Audit Metadata