screenshot
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill programmatically captures the user's entire screen or specific windows and saves them to
/tmp. These screenshots can contain highly sensitive information, including visible credentials, private communications, or financial data, which are then read into the agent's context and could be exfiltrated. - [Indirect Prompt Injection] (HIGH): The agent ingests untrusted visual data from the screenshot. If a malicious instruction is displayed on the screen (e.g., via a website, email, or document), the agent might execute it. Given the skill's 'Bash' capability, this could lead to unauthorized system modifications or data theft.
- Ingestion points: Reads captured image data from
/tmp/alma-screenshot-thumb.jpg. - Boundary markers: None. The agent treats visual information as raw context.
- Capability inventory: Uses the
Bashtool to executescreencaptureandsips. The presence of theBashtool itself allows for broader exploitation if an injection occurs. - Sanitization: None. The skill captures raw screen state without filtering.
- [Command Execution] (MEDIUM): While the skill uses specific paths for system binaries (
/usr/sbin/screencapture,/usr/bin/sips), the combination of executing commands based on visual state and having general 'Bash' tool access increases the risk profile significantly.
Recommendations
- AI detected serious security threats
Audit Metadata