droid-control
Fail
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Uses sudo apt-get to install system packages such as cage, wtype, ffmpeg, and grim, which allows for privilege escalation to root to modify the system environment.
- [COMMAND_EXECUTION]: Dynamically constructs and executes shell commands for terminal automation, including the use of absolute file paths and session management in global temporary directories (/tmp/tctl-sessions/).
- [EXTERNAL_DOWNLOADS]: Fetches and installs multiple external dependencies from npm (tuistory), pip (asciinema), and cargo. Specifically, it downloads and compiles the agg tool directly from a remote GitHub repository using cargo install --git.
- [PROMPT_INJECTION]: Operates as an automation driver that processes output from external applications (TUIs and web apps) to determine its next actions. This architecture is vulnerable to indirect prompt injection, as a malicious target application could produce output designed to influence the agent's behavior.
- Ingestion points: Terminal output via tuistory/tctl and web page content via agent-browser.
- Boundary markers: No specific delimiters or safety warnings for ignoring embedded instructions in external data are implemented.
- Capability inventory: Extensive subprocess execution (tctl, bash, remotion), file system writes, and network-enabled browser automation.
- Sanitization: The skill does not define sanitization or validation protocols for the data ingested from target applications.
Recommendations
- AI detected serious security threats
Audit Metadata