open-computer-use-automation
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install the
open-computer-usepackage globally from the NPM registry and fetches additional skill configurations from the GitHub repositoryiFurySt/open-codex-computer-use. - [COMMAND_EXECUTION]: Provides tools to simulate user input, including
click_element,type_text, andpress_key. These tools allow an AI agent to programmatically control applications and the host operating system. - [DATA_EXFILTRATION]: The
take_screenshotandget_app_statetools enable the agent to capture and read everything displayed on the screen, including potentially sensitive information in open applications (e.g., passwords, private messages, or financial data). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the user interface of third-party applications. Content displayed in an app (e.g., a browser or document) could contain instructions that influence the agent's behavior.
- Ingestion points: UI element hierarchy and attributes (titles, values) processed by
get_app_stateinSKILL.md. - Boundary markers: None identified in the provided documentation or tool definitions.
- Capability inventory: Full UI control (clicks, typing, keyboard shortcuts) and screen capture capabilities as defined in
SKILL.md. - Sanitization: No explicit sanitization or filtering of the UI content is described.
Audit Metadata