local-testing

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Extensive use of osascript (AppleScript) across multiple scripts to automate UI interactions, keystrokes, and system events in native macOS applications.
  • [COMMAND_EXECUTION]: Potential AppleScript injection vulnerability in scripts like test-discord-bot.sh, test-slack-bot.sh, etc., where user-supplied messages are directly interpolated into osascript command strings without escaping.
  • [DATA_EXFILTRATION]: The skill provides tools to read and write to the system clipboard (pbpaste, agent-browser clipboard read, set the clipboard to) and to extract text or screenshots from communication applications (Discord, Slack, Telegram, WeChat, QQ, Lark).
  • [REMOTE_CODE_EXECUTION]: Supports arbitrary JavaScript execution within a browser or Electron application context using the agent-browser eval command.
  • [REMOTE_CODE_EXECUTION]: The record-electron-demo.sh script executes arbitrary shell scripts provided as command-line arguments.
  • [EXTERNAL_DOWNLOADS]: Instructions include installing the third-party agent-browser CLI via npm, brew, or cargo, and using it to download browser binaries.
  • [PROMPT_INJECTION]: Vulnerable to indirect prompt injection (Category 8) as it ingests untrusted data from external chat messages and web pages through clipboard reading and DOM snapshots.
  • Ingestion points: pbpaste, agent-browser snapshot, screencapture (when combined with vision analysis).
  • Boundary markers: Absent.
  • Capability inventory: osascript (UI control), agent-browser (JS execution), curl (Network access).
  • Sanitization: None detected for external content processing.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 08:32 PM
Security Audit — agent-trust-hub — local-testing