The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The installation instructions for 'cua-driver' involve fetching a shell script from 'https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.sh' and piping it directly to 'bash'. This is a high-risk pattern that grants a remote script immediate execution privileges under the current user's context.
[REMOTE_CODE_EXECUTION]: For Windows environments, the skill uses a similar pattern where a PowerShell script is downloaded from 'https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.ps1' and piped to 'iex' (Invoke-Expression).
[EXTERNAL_DOWNLOADS]: The command 'cua-driver skills install' fetches an external 'skill pack' from a remote repository into the local filesystem, introducing unverified instructions and potential tool definitions into the agent's runtime environment.
[COMMAND_EXECUTION]: The skill relies on frequent subprocess calls to the 'cua-driver' binary to perform sensitive desktop operations, including enumerating all windows, capturing screenshots, and simulating user input (clicks, keystrokes, hotkeys).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted content from native application accessibility trees and UI screenshots via 'get_window_state'.
Ingestion points: 'get_window_state' in 'SKILL.md' (semantic UI trees and 'tree_markdown').
Boundary markers: Absent. The skill does not provide instructions to the agent to ignore or isolate instructions found within the UI data.
Capability inventory: 'launch_app', 'click', 'type_text', and 'hotkey' represent a powerful toolset that can be exploited by malicious UI content.
Sanitization: Absent. Data from the UI is interpreted directly to locate and interact with interface elements.

desktop-control