localmac-ai-ocr
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
osascript(AppleScript) andctypesto interface with the macOSApplicationServicesframework for comprehensive GUI automation. This includes activating windows, simulating mouse clicks at specific coordinates, and sending keystrokes to applications. These operations grant the agent significant control over the local desktop environment. - [DATA_EXFILTRATION]: The skill captures the local screen using the macOS
screencaptureutility and transmits the resulting image data (Base64 encoded) to a remote API endpoint defined by the user-providedAISTUDIO_OCR_API_URLenvironment variable. This constitutes a potential exposure of sensitive information visible on the screen during the capture process. - [EXTERNAL_DOWNLOADS]: The
setup.shscript and the tool wrappers (scripts/gui,scripts/ocr) use theuvpackage manager to install and manage Python dependencies such asPillowandrequests. The skill also supports downloading and loading PaddleOCR models if the user chooses the local backend. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: The skill processes text extracted from screen captures via OCR in
scripts/ocr_tool.py. - Boundary markers: No explicit boundary markers or instructions are provided to the agent to treat OCR-extracted text as untrusted content.
- Capability inventory: The skill possesses high-privilege capabilities including mouse simulation, keystroke injection, and window management in
scripts/gui_toolkit.py. - Sanitization: Keystrokes processed via
send_textare escaped to mitigate basic AppleScript injection, though the logic is primarily for syntax correctness.
Audit Metadata