computer-use
Warn
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill employs a
captureaction to retrieve screenshots and accessibility tree metadata of the user's desktop, providing access to potentially sensitive on-screen information. Mitigation is suggested through scoped captures and guidance to avoid personal application content. - [COMMAND_EXECUTION]: The
computer_usetool allows the agent to perform GUI actions such as clicking, typing, and keyboard shortcuts. The skill provides platform-specific mappings and instructions for routing input to applications without stealing user focus. - [REMOTE_CODE_EXECUTION]: The documentation instructs the agent to suggest running
cua-driver skills install, which downloads and integrates external skill packages from a remote GitHub repository (github.com/trycua/cua). - [PROMPT_INJECTION]: The skill addresses indirect prompt injection risks by explicitly instructing the agent to disregard instructions found in captured screenshots or web pages. It also lists tool-level blocks for dangerous shell command patterns.
- Ingestion points: Screenshot and AX-tree data returned via
computer_use(action="capture")in SKILL.md. - Boundary markers: Explicit instructions are present to treat the user's prompt as the only source of truth.
- Capability inventory: Includes actions such as
click,type,key,drag,scroll, andfocus_app. - Sanitization: Implements a blocklist for dangerous command strings like
sudo rm -rforcurl | bashduring input synthesis.
Audit Metadata