computer-use

Warn

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill employs a capture action to retrieve screenshots and accessibility tree metadata of the user's desktop, providing access to potentially sensitive on-screen information. Mitigation is suggested through scoped captures and guidance to avoid personal application content.
  • [COMMAND_EXECUTION]: The computer_use tool allows the agent to perform GUI actions such as clicking, typing, and keyboard shortcuts. The skill provides platform-specific mappings and instructions for routing input to applications without stealing user focus.
  • [REMOTE_CODE_EXECUTION]: The documentation instructs the agent to suggest running cua-driver skills install, which downloads and integrates external skill packages from a remote GitHub repository (github.com/trycua/cua).
  • [PROMPT_INJECTION]: The skill addresses indirect prompt injection risks by explicitly instructing the agent to disregard instructions found in captured screenshots or web pages. It also lists tool-level blocks for dangerous shell command patterns.
  • Ingestion points: Screenshot and AX-tree data returned via computer_use(action="capture") in SKILL.md.
  • Boundary markers: Explicit instructions are present to treat the user's prompt as the only source of truth.
  • Capability inventory: Includes actions such as click, type, key, drag, scroll, and focus_app.
  • Sanitization: Implements a blocklist for dangerous command strings like sudo rm -rf or curl | bash during input synthesis.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 24, 2026, 01:26 PM
Security Audit — agent-trust-hub — computer-use