computer-use-agents
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill implements a bash tool (
BetaToolBash20241022) allowing the agent to execute arbitrary shell commands. While this is the intended primary purpose of the skill, it creates a significant risk if the agent is compromised or subjected to malicious instructions. - [REMOTE_CODE_EXECUTION] (MEDIUM): By providing the agent with shell access and the ability to interact with a GUI based on visual reasoning, the skill creates a surface where the agent could be directed to download and execute malicious code discovered in its environment.
- [PROMPT_INJECTION] (LOW): The skill is inherently vulnerable to indirect prompt injection (Category 8). An attacker could place malicious instructions on a screen or in a document that the agent 'sees' and follows. Evidence: 1. Ingestion: Screen captures via pyautogui and scrot. 2. Boundaries: No explicit delimiters or instructions to ignore visual content instructions. 3. Capabilities: Full GUI automation and shell execution. 4. Sanitization: No visual or command sanitization is implemented.
- [DATA_EXFILTRATION] (LOW): The agent captures and base64-encodes full screenshots of the environment. If the reasoning loop is manipulated, this sensitive visual data could be exfiltrated to an external endpoint.
Audit Metadata