local-testing
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Extensive use of
osascript(AppleScript) across multiple scripts to automate UI interactions, keystrokes, and system events in native macOS applications. - [COMMAND_EXECUTION]: Potential AppleScript injection vulnerability in scripts like
test-discord-bot.sh,test-slack-bot.sh, etc., where user-supplied messages are directly interpolated intoosascriptcommand strings without escaping. - [DATA_EXFILTRATION]: The skill provides tools to read and write to the system clipboard (
pbpaste,agent-browser clipboard read,set the clipboard to) and to extract text or screenshots from communication applications (Discord, Slack, Telegram, WeChat, QQ, Lark). - [REMOTE_CODE_EXECUTION]: Supports arbitrary JavaScript execution within a browser or Electron application context using the
agent-browser evalcommand. - [REMOTE_CODE_EXECUTION]: The
record-electron-demo.shscript executes arbitrary shell scripts provided as command-line arguments. - [EXTERNAL_DOWNLOADS]: Instructions include installing the third-party
agent-browserCLI vianpm,brew, orcargo, and using it to download browser binaries. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection (Category 8) as it ingests untrusted data from external chat messages and web pages through clipboard reading and DOM snapshots.
- Ingestion points:
pbpaste,agent-browser snapshot,screencapture(when combined with vision analysis). - Boundary markers: Absent.
- Capability inventory:
osascript(UI control),agent-browser(JS execution),curl(Network access). - Sanitization: None detected for external content processing.
Audit Metadata