gemini-computer-use
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes arbitrary external web content, making it susceptible to indirect prompt injection attacks where a website might contain instructions that manipulate the agent's behavior.\n
- Ingestion points: The agent navigates to URLs and takes screenshots in
scripts/computer_use_agent.py.\n - Boundary markers: No specific delimiters or safety instructions are provided to the model to distinguish between user goals and website content.\n
- Capability inventory: The agent can click, type, press keys, and navigate, providing a broad surface for unauthorized actions if the model is compromised.\n
- Sanitization: No sanitization or filtering of the visual or textual data from the browser is performed before it is sent to the model.\n- [COMMAND_EXECUTION]: The
scripts/computer_use_agent.pyscript allows specifying an executable path via theCOMPUTER_USE_BROWSER_EXECUTABLEenvironment variable, which Playwright then executes. This provides a vector for running arbitrary local binaries if the environment is misconfigured.
Audit Metadata