axiom-axe-ref
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing a third-party CLI utility via Homebrew: 'brew install cameroncooke/axe/axe'. This binary is hosted in a personal GitHub repository rather than a verified organization or official vendor repo.
- [COMMAND_EXECUTION]: The instructions involve executing numerous shell commands to interact with iOS simulators. This includes the 'axe' tool for UI manipulation, 'xcrun simctl' for device control, and 'jq' for data parsing, providing the agent with broad execution capabilities within the host environment.
- [PROMPT_INJECTION]: The 'describe-ui' command provides the agent with the simulator's UI accessibility tree, which is a vector for indirect prompt injection. Malicious apps or sites on the simulator could display text designed to hijack the agent's logic when it reads the UI state.
- Ingestion points: 'axe describe-ui' outputs simulator content directly into the agent context.
- Boundary markers: There are no instructions for using delimiters or boundary markers to isolate UI text from agent instructions.
- Capability inventory: The skill enables tapping, typing, scrolling, hardware button simulation, and shell execution.
- Sanitization: No sanitization or filtering of the accessibility identifiers or labels is described.
Audit Metadata