The Agent Skills Directory

[DYNAMIC_EXECUTION]: The script run_turix.sh uses a shell heredoc to dynamically generate a Python script for configuration updates. This script interpolates the raw user-provided task description directly into a Python triple-quoted string (task = '''$TASK''') without escaping. An attacker could potentially execute arbitrary Python code by including triple quotes and malicious commands in the task description.
[PRIVILEGE_ESCALATION]: The setup documentation (SETUP.md, INTEGRATION.md) instructs users to grant Accessibility and Screen Recording permissions to the terminal or IDE. These permissions provide the agent with broad control over the macOS desktop, including the ability to simulate keystrokes and capture sensitive information from any open application.
[COMMAND_EXECUTION]: The execution wrapper script run_turix.sh triggers the execution of Python code from an external, user-cloned repository located at a relative path (../../TuriX-CUA). This bypasses standard package verification and executes unverified logic from a third-party source.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to process content from external websites and GitHub repositories. 1. Ingestion points: Safari browser interaction and GitHub repository data specified in examples/ai-news-research.md and examples/github-repo-actions.md. 2. Boundary markers: No explicit boundary markers or delimiters are defined to isolate untrusted web content from the agent's instructions. 3. Capability inventory: The agent possesses GUI control capabilities (via Accessibility permissions), screen capture capability, and file system write access. 4. Sanitization: No input sanitization or validation of content retrieved from external web sources is evident in the provided skill files.

turix-cua