agent-desktop

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The instructions direct the agent to execute shell commands to install and verify the agent-desktop-pp-cli and the underlying agent-desktop tools using npx, go install, and direct binary execution.
  • [EXTERNAL_DOWNLOADS]: The skill initiates downloads of external components from GitHub (github.com/mvanhorn, github.com/lahfir) and the NPM registry to provide its core functionality.
  • [REMOTE_CODE_EXECUTION]: Installation instructions utilize npx -y and go install to download and execute code from remote repositories. Additionally, the agent-desktop-pp-cli bridge installs further executable components from remote package channels at runtime.
  • [DATA_EXFILTRATION]: The skill grants the agent the ability to read potentially sensitive data from the host system, including the system clipboard (clipboard-get), screenshots (screenshot), and the operating system accessibility tree (snapshot), which may contain private information from open applications.
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it processes untrusted data from the external environment.
  • Ingestion points: Data enters the agent's context through UI accessibility snapshots, system notifications, and clipboard content.
  • Boundary markers: The skill lacks explicit delimiters or instructions to treat data from the desktop UI as untrusted content that should not be interpreted as commands.
  • Capability inventory: The agent can perform high-impact actions based on its observations, including typing strings, clicking elements, and launching or closing applications.
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the text retrieved from the desktop environment before it is provided to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 05:16 AM
Security Audit — agent-trust-hub — agent-desktop