orca-emulator
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
execcommand allows for raw command strings to be passed to the emulator bridge, providing flexible but potentially unsafe execution of simulator controls if driven by unvalidated agent logic. - [DATA_EXFILTRATION]: Accessing the accessibility tree via the
axcommand exposes the internal UI structure of simulated apps, which may contain sensitive user or application data visible to the agent. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface where untrusted data from a simulated application could influence agent behavior.
- Ingestion points: UI metadata and the accessibility tree are ingested via
orca emulator ax(SKILL.md). - Boundary markers: There are no specific delimiters or instructions defined to isolate data retrieved from the simulator from the agent's core instructions (Absent).
- Capability inventory: The skill provides a wide range of interaction tools, including
tap,type,gesture, andexec, which can be used to perform actions based on potentially injected instructions (SKILL.md). - Sanitization: The skill does not describe any mechanism for sanitizing or validating the UI content before it is returned to the agent (Absent).
- [EXTERNAL_DOWNLOADS]: The skill references and integrates the
serve-simopen-source tool for emulator streaming and control.
Audit Metadata