iOS Device Automation
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS / REMOTE_CODE_EXECUTION] (HIGH): The skill executes 'npx @midscene/ios@1', which fetches and runs code from the npm registry at runtime. This introduces a supply chain risk as the package source is external and unverified.
- [INDIRECT PROMPT INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection. Ingestion points: Screen content captured via 'take_screenshot' and interpreted by the LLM. Boundary markers: None; the agent cannot distinguish between intended UI labels and malicious text on a processed screen. Capability inventory: Full device interaction via 'act' (tapping, typing, navigating) and local shell access via the 'Bash' tool. Sanitization: None.
- [COMMAND_EXECUTION] (MEDIUM): Utilizes the 'Bash' tool to execute shell commands. While intended for device automation, this provides a mechanism for potential misuse if the agent is manipulated by external data.
Recommendations
- AI detected serious security threats
Audit Metadata