The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to use swift -e and osascript -e to execute dynamic code strings for UI automation. This allows the agent to interact with low-level macOS APIs (CoreGraphics, ApplicationServices) to inject system-wide input events and manage windows.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from the user's screen. Visual content within third-party application windows could contain adversarial instructions designed to influence the agent's actions.
Ingestion points: Screenshots of macOS windows captured using the screencapture utility (detailed in SKILL.md and references/examples.md).
Boundary markers: No explicit markers or instructions are provided to help the agent distinguish between UI elements and potentially malicious text within those elements.
Capability inventory: The agent has access to powerful CLI tools (swift, osascript, screencapture) and can simulate keyboard/mouse input via CGEvent (detailed in references/apis.md).
Sanitization: There is no mechanism described for sanitizing or filtering the content found within screenshots before processing.
[DATA_EXFILTRATION]: The skill captures window content to the local filesystem at /tmp/window.png. While this is part of its functional design, users should be aware that sensitive information visible on screen is being written to a temporary file.

macos-computer-use