tip-gui-skill
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill reads from the local file system at
~/Library/Application Support/Tip/settings.json, which contains sensitive authentication data including API keys and Bearer tokens for external model providers. - [COMMAND_EXECUTION]: The script
tip_gui_bridge.pyusessubprocess.runto execute Python snippets through a local virtual environment located at~/service/youtu-tip/youtu-tip/python/.venv/bin/python. This allows for the execution of arbitrary Python logic on the host machine. - [DATA_EXFILTRATION]: The
describecommand captures the current state of the user's desktop as a screenshot and transmits it, along with API keys extracted from local configuration, to external OpenAI-compatible endpoints. This transmits visual workspace data and associated secrets to remote servers. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface when processing screen content.
- Ingestion points: Untrusted visual data from the user's screen is captured via
cmd_describeand converted to text by an LLM. - Boundary markers: There are no markers or safety instructions in the prompt template to prevent the model from following instructions embedded in the visual content (e.g., text on the desktop).
- Capability inventory: The skill has the ability to execute shell commands and automate GUI interactions (clicks, typing) which can be manipulated by injected instructions.
- Sanitization: The description output derived from visual content is returned directly to the agent context without sanitization.
Audit Metadata