omni-vu
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): This is the most significant risk as the skill processes untrusted visual data from the screen. Malicious instructions displayed on a website or document could be interpreted by the vision model as instructions for the agent. 1. Ingestion points: Screen captures processed by
vu_describe(SKILL.md). 2. Boundary markers: No markers exist to separate screen content from agent instructions. 3. Capability inventory: Includes powerful tools for clicking, typing, and executing hotkeys (vu_click,vu_type,vu_hotkey). 4. Sanitization: No validation or filtering of visual content is mentioned. - Data Exfiltration & Exposure (HIGH): Screen captures inherently contain sensitive data like PII or credentials. These are stored locally in
~/.omni.vu/captures/and sent to external AI providers (Claude, OpenAI, Gemini) for analysis. - Command Execution (HIGH): The GUI automation capabilities (
vu_type,vu_hotkey) can be used by an attacker (via prompt injection) to open a terminal and execute arbitrary shell commands on the host system. - Privilege Escalation (MEDIUM): The skill requires macOS 'Screen Recording' and 'Accessibility' permissions, which allow the agent to bypass standard application-level security boundaries.
Recommendations
- AI detected serious security threats
Audit Metadata