agent-desktop
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instructions direct the agent to execute shell commands to install and verify the
agent-desktop-pp-cliand the underlyingagent-desktoptools usingnpx,go install, and direct binary execution. - [EXTERNAL_DOWNLOADS]: The skill initiates downloads of external components from GitHub (
github.com/mvanhorn,github.com/lahfir) and the NPM registry to provide its core functionality. - [REMOTE_CODE_EXECUTION]: Installation instructions utilize
npx -yandgo installto download and execute code from remote repositories. Additionally, theagent-desktop-pp-clibridge installs further executable components from remote package channels at runtime. - [DATA_EXFILTRATION]: The skill grants the agent the ability to read potentially sensitive data from the host system, including the system clipboard (
clipboard-get), screenshots (screenshot), and the operating system accessibility tree (snapshot), which may contain private information from open applications. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it processes untrusted data from the external environment.
- Ingestion points: Data enters the agent's context through UI accessibility snapshots, system notifications, and clipboard content.
- Boundary markers: The skill lacks explicit delimiters or instructions to treat data from the desktop UI as untrusted content that should not be interpreted as commands.
- Capability inventory: The agent can perform high-impact actions based on its observations, including typing strings, clicking elements, and launching or closing applications.
- Sanitization: There is no evidence of sanitization, filtering, or validation of the text retrieved from the desktop environment before it is provided to the agent.
Audit Metadata