cartographer
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the
agent-deviceCLI tool to perform operations such as listing devices, capturing UI snapshots, and simulating user interactions (press, scroll, navigation). These commands are used to gather data about mobile app structures. - [EXTERNAL_DOWNLOADS]: The documentation directs users to install the
agent-devicepackage vianpm. This tool appears to be a core component provided by the author to enable the skill's functionality. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests and processes text data (labels, identifiers, and placeholders) from the UI of external mobile applications. While the skill defines 'Safety Rules' to prevent the agent from performing dangerous actions like clicking 'Delete' or 'Purchase' buttons, there are no specific sanitization steps to prevent malicious text within a mobile app's UI from being interpreted as instructions by the underlying AI model.
- Ingestion points: UI data is ingested via the
agent-device snapshot --jsoncommand inSKILL.md. - Boundary markers: No explicit delimiters are used to separate ingested UI text from the agent's internal instructions.
- Capability inventory: The skill can execute various device interaction commands through the
agent-deviceCLI. - Sanitization: Action-level sanitization is present via 'Blocked identifiers' and 'Blocked labels' lists to prevent high-risk interactions during autonomous mapping.
Audit Metadata