desktop
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses powerful CLI tools including osascript, cliclick, and screencapture to automate the desktop environment. It can simulate keystrokes, move the mouse, and capture screen content, providing a high level of control over the user interface. These operations are found across ocr.py and the wechat-*.sh scripts.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted text from screenshots and chat messages via OCR. Specifically, wechat-monitor.sh polls for a trigger keyword ('MYCC') in WeChat chat content, creating a surface where external messages could influence agent behavior.\n
- Ingestion points: Screen captures and WeChat chat area OCR processed in ocr.py and wechat-monitor.sh.\n
- Boundary markers: None identified; the system does not appear to distinguish between system UI text and untrusted user-generated content.\n
- Capability inventory: Arbitrary mouse clicks, text input, and keystroke injection via cliclick and osascript, enabling execution of arbitrary GUI actions.\n
- Sanitization: No validation or sanitization of OCR-derived text is performed.\n- [DATA_EXPOSURE]: Sensitive visual data and OCR results are stored in the global /tmp directory (e.g., /tmp/wechat-monitor.png, /tmp/wechat-trigger), which may be accessible to other local users or processes.
Audit Metadata