Desktop Control
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Remote Code Execution (CRITICAL): In
scripts/install.py, the skill executescurl -LsSf https://astral.sh/uv/install.sh | sh. Piping a remote script directly to a shell is a critical security risk as it allows for the execution of unverified and potentially malicious code from an untrusted external source. - Command Execution (HIGH): The
opencommand indesktop_agent/commands/app.pyusessubprocess.Popenwithshell=Trueon Windows and concatenates user-provided application names and arguments directly into the command string (f'start "" "{name}" {" ".join(args_list)}'). This enables arbitrary command injection if the input contains shell metacharacters. - Prompt Injection (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its high-privilege capabilities and ingestion of untrusted data.
- Ingestion points:
desktop_agent/commands/screen.py(read-all-text) anddesktop_agent/commands/message.py(prompt). - Boundary markers: None. There are no delimiters or instructions to prevent the agent from obeying commands found on the user's screen or in messages.
- Capability inventory: Arbitrary shell execution via
app.open, keyboard emulation viakeyboard.write, and mouse control. - Sanitization: Absent. Untrusted content read from the screen is processed without escaping or validation, allowing an attacker to place instructions on a webpage or document that the agent might automatically execute.
- External Downloads (MEDIUM): The README and installation scripts recommend downloading and executing code from various remote sources (uv, pipx, npm) without implementing integrity checks such as hash verification or signature validation.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://astral.sh/uv/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata