cua-driver-rs
Fail
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's documentation and instructions (README.md, WINDOWS.md) direct users and agents to install the 'cua-driver' dependency by executing scripts directly from a remote, untrusted source without integrity verification.
- Evidence in
README.md:/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.sh)" - Evidence in
README.md:irm https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.ps1 | iex - [COMMAND_EXECUTION]: The skill provides the agent with commands to establish persistence on the host machine by creating a Scheduled Task that automatically runs the driver at system logon.
- Evidence in
WINDOWS.md:cua-driver autostart enablecommand management. - [COMMAND_EXECUTION]: The skill includes instructions and a Python script designed to programmatically modify browser configuration files (e.g., Chrome's
PreferencesJSON) to enable the 'Allow JavaScript from Apple Events' setting, which can weaken the browser's security model. - Evidence in
WEB_APPS.md: Python script targeting~/Library/Application Support/Google/Chrome/Default/Preferences. - [PROMPT_INJECTION]: The skill possesses a significant Indirect Prompt Injection surface as it ingests untrusted data from third-party applications (via accessibility trees) and web pages (via the
pagetool) and uses this data to drive subsequent GUI actions. - Ingestion points:
SKILL.md(get_window_statereturnstree_markdown),WEB_APPS.md(pagetool extracts text and DOM attributes). - Boundary markers: None; the instructions do not include delimiters or warnings to ignore embedded instructions in the processed UI data.
- Capability inventory: The skill has high-privilege GUI capabilities including
click,type_text,launch_app, and arbitrary JavaScript execution via thepagetool. - Sanitization: No sanitization or validation of the ingested UI data is performed before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata