skills/qwenlm/qwen-code/cua-driver-rs/Gen Agent Trust Hub

cua-driver-rs

Fail

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill's documentation and instructions (README.md, WINDOWS.md) direct users and agents to install the 'cua-driver' dependency by executing scripts directly from a remote, untrusted source without integrity verification.
  • Evidence in README.md: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.sh)"
  • Evidence in README.md: irm https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.ps1 | iex
  • [COMMAND_EXECUTION]: The skill provides the agent with commands to establish persistence on the host machine by creating a Scheduled Task that automatically runs the driver at system logon.
  • Evidence in WINDOWS.md: cua-driver autostart enable command management.
  • [COMMAND_EXECUTION]: The skill includes instructions and a Python script designed to programmatically modify browser configuration files (e.g., Chrome's Preferences JSON) to enable the 'Allow JavaScript from Apple Events' setting, which can weaken the browser's security model.
  • Evidence in WEB_APPS.md: Python script targeting ~/Library/Application Support/Google/Chrome/Default/Preferences.
  • [PROMPT_INJECTION]: The skill possesses a significant Indirect Prompt Injection surface as it ingests untrusted data from third-party applications (via accessibility trees) and web pages (via the page tool) and uses this data to drive subsequent GUI actions.
  • Ingestion points: SKILL.md (get_window_state returns tree_markdown), WEB_APPS.md (page tool extracts text and DOM attributes).
  • Boundary markers: None; the instructions do not include delimiters or warnings to ignore embedded instructions in the processed UI data.
  • Capability inventory: The skill has high-privilege GUI capabilities including click, type_text, launch_app, and arbitrary JavaScript execution via the page tool.
  • Sanitization: No sanitization or validation of the ingested UI data is performed before it is processed by the agent.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 6, 2026, 05:50 AM
Security Audit — agent-trust-hub — cua-driver-rs