desktop-app-testing
Fail
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses SSH to execute shell commands on a remote host ('dookie') to manage infrastructure components (e.g.,
ssh dookie 'docker ps ...',ssh dookie 'docker compose up -d'). - [REMOTE_CODE_EXECUTION]: The skill facilitates the transfer and execution of arbitrary Windows executable files (.exe) into a VM using PowerShell. It retrieves binaries from user-provided URLs or internal hosts via
Invoke-WebRequestand executes them usingStart-Processafter bypassing security blocks withUnblock-File. - [PROMPT_INJECTION]: The skill includes explicit instructions on how to bypass 'destructive-action' gates on the Lab gateway. It guides the agent to use elevated administrative scopes (
lab:admin) or to 'fix the gateway' by rebuilding and redeploying it to suppress security confirmation prompts for destructive operations. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted UI labels and control data to drive its automated testing loop without sanitization.
- Ingestion points: UI Automation tree data retrieved from the 'Snapshot' tool (referenced in SKILL.md and windows-mcp-calls.md).
- Boundary markers: None; the agent processes UI labels and element text directly as targets for actions.
- Capability inventory: Includes remote command execution (SSH), PowerShell execution, file system writes, and process manipulation.
- Sanitization: No validation or escaping is applied to UI-derived text before the agent uses it to drive subsequent actions.
Recommendations
- AI detected serious security threats
Audit Metadata