computer-use-agents
Warn
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
ComputerUseAgentclass and associated patterns utilizepyautoguiandxdotoolto perform direct system actions, including clicking, typing, and mouse movement. These actions are triggered by instructions parsed from AI model responses. - [REMOTE_CODE_EXECUTION]: The
AnthropicComputerUseclass implements a bash tool that executes shell commands viasubprocess.run(shell=True). Because these commands originate from an AI model processing external, potentially untrusted visual data, this creates a vector for code execution if the model is compromised. - [PROMPT_INJECTION]: The architecture described is inherently vulnerable to indirect prompt injection (Category 8) due to its core functionality of processing external data.
- Ingestion points: The skill captures screenshots of websites and applications and retrieves DOM snapshots via Playwright, bringing untrusted content into the agent's reasoning context.
- Boundary markers: The implementation relies on system prompts to enforce JSON formatting but lacks robust delimiters to prevent the model from obeying instructions embedded in the captured visual or textual data.
- Capability inventory: The agent has access to powerful tools, including a bash shell, file system operations (read/write), and GUI control.
- Sanitization: The provided patterns include a basic blacklist for dangerous commands (e.g.,
rm -rf), which provides minimal protection against adversarial bypasses. - [DATA_EXFILTRATION]: The skill captures screen content via
pyautoguiorscrotand transmits the encoded image data to the Anthropic API for processing. This involves the handling and external transmission of potentially sensitive information displayed on the user's screen.
Audit Metadata