skills/jmagar/lab/desktop-app-testing/Gen Agent Trust Hub

desktop-app-testing

Fail

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses SSH to execute shell commands on a remote host ('dookie') to manage infrastructure components (e.g., ssh dookie 'docker ps ...', ssh dookie 'docker compose up -d').
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the transfer and execution of arbitrary Windows executable files (.exe) into a VM using PowerShell. It retrieves binaries from user-provided URLs or internal hosts via Invoke-WebRequest and executes them using Start-Process after bypassing security blocks with Unblock-File.
  • [PROMPT_INJECTION]: The skill includes explicit instructions on how to bypass 'destructive-action' gates on the Lab gateway. It guides the agent to use elevated administrative scopes (lab:admin) or to 'fix the gateway' by rebuilding and redeploying it to suppress security confirmation prompts for destructive operations.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted UI labels and control data to drive its automated testing loop without sanitization.
  • Ingestion points: UI Automation tree data retrieved from the 'Snapshot' tool (referenced in SKILL.md and windows-mcp-calls.md).
  • Boundary markers: None; the agent processes UI labels and element text directly as targets for actions.
  • Capability inventory: Includes remote command execution (SSH), PowerShell execution, file system writes, and process manipulation.
  • Sanitization: No validation or escaping is applied to UI-derived text before the agent uses it to drive subsequent actions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 19, 2026, 02:13 AM
Security Audit — agent-trust-hub — desktop-app-testing