computer-use-cli
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing system commands such as
xdotool,scrot,imagemagick, andxdpyinfovia the Pythonsubprocessmodule. - Evidence: The script
scripts/cu.pyusessubprocess.runto call these binaries for automation tasks. The implementation avoidsshell=Trueand uses the--separator forxdotoolcommands, which effectively mitigates standard command injection risks from user-supplied text or keys. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection (Category 8) because it captures and returns screenshots of the desktop environment to the agent.
- Ingestion points: Visual data enters the agent context via
cu-screenshotand thetake_screenshotfunction inscripts/cu.py. - Boundary markers: There are no boundary markers or 'ignore' instructions applied to the visual content rendered by the GUI applications.
- Capability inventory: The skill possesses the capability to simulate keyboard and mouse input via
xdotool, providing a mechanism for an injection to trigger further actions. - Sanitization: No sanitization is performed on the visual content before it is processed by the agent's vision capabilities. This is an inherent risk of visual automation where the agent might follow instructions displayed within a GUI app.
Audit Metadata