windows-qa-engineer

Warn

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill_installer.py script automates the installation process by executing shell commands to clone repositories, create Python virtual environments, and install dependencies. It also programmatically modifies the project's .mcp.json file to register the skill as an MCP server. Additionally, scripts/doctor.ps1 modifies the system.yaml configuration file within the UFO directory to apply patches.
  • [REMOTE_CODE_EXECUTION]: The installer script implements a verification step that executes a Python script provided in the install.yaml manifest via python -c. Furthermore, scripts/ufo_windows_qa_mcp_server.py performs monkey-patching of the Microsoft UFO framework's core classes (UIABackendStrategy and ControlInspectorFacade) at runtime to modify their default scanning behavior.
  • [EXTERNAL_DOWNLOADS]: The skill fetches the Microsoft UFO framework from its official GitHub repository and installs several packages (e.g., fastmcp, uiautomation, pyautogui) from the standard PyPI registry.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the UI of target Windows applications.
  • Ingestion points: Tools texts and get_app_window_controls_info in scripts/ufo_windows_qa_mcp_server.py read data from application windows.
  • Boundary markers: None identified; external content is interpolated directly into the agent context.
  • Capability inventory: The agent has UI manipulation capabilities (click_input, set_edit_text, keyboard_input) and the ability to run system-level installer scripts.
  • Sanitization: No filtering or sanitization of ingested UI text is performed before it is presented to the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 15, 2026, 03:44 PM
Security Audit — agent-trust-hub — windows-qa-engineer