computer-use-agents
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill possesses a significant surface for indirect prompt injection as it ingests untrusted visual data.
- Ingestion points: Screen captures are taken via
pyautogui.screenshot()andscrot(inSKILL.md), which are then processed by the Vision-Language Model. - Boundary markers: Absent; there are no delimiters or specific instructions to help the model distinguish between system UI and potentially malicious content displayed on the screen.
- Capability inventory: The agent has full GUI control via
pyautogui(click, type, press, scroll) and shell execution capabilities viaBetaToolBash20241022. - Sanitization: Absent; the skill does not implement any visual filtering or content sanitization before sending data to the model.
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill references standard, well-known libraries (
anthropic,pyautogui,Pillow) and provides a legitimatebashtool implementation as part of its primary instructional purpose for computer-use agents. - Command Execution (SAFE): While the skill implements shell and GUI command execution, these are explicitly presented as the primary function of the agent and are accompanied by strong security warnings and isolation patterns (Docker, non-root user, seccomp).
Audit Metadata