open-interpreter
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
subprocessmodule to interact with system utilities and bridge logic between sibling scripts. For instance,oi_screenshot.pyexecutes system commands likescreencapture(macOS) andscrot(Linux), whileoi_type.pyusesosascriptto handle keyboard hotkeys on macOS. All such calls utilize list-based arguments, which effectively mitigates shell injection risks. - [EXTERNAL_DOWNLOADS]: The
oi_install.shscript automates the setup process by downloading theopen-interpreterpackage and its dependencies (such aspyautogui,pytesseract, andpyperclip) from the official Python Package Index (PyPI). This is standard behavior for configuring the skill's environment. - [PROMPT_INJECTION]: The skill's architecture involves reading screen content via OCR (
oi_find_text.py) and vision, which introduces a surface for indirect prompt injection. If a malicious webpage or document is open on the screen, the agent might interpret processed text as instructions. - Ingestion points: Screen content processed through
oi_screenshot.pyandoi_find_text.py(OCR). - Boundary markers: No specific delimiters are implemented to separate screen text from system instructions.
- Capability inventory: High-impact GUI capabilities including mouse control, keyboard input, and autonomous execution loops.
- Sanitization: Screen content is processed as raw data without specific filtering for instruction-like patterns. This risk is inherent to the skill's primary purpose and is partially mitigated by the human-in-the-loop safety model described in the documentation.
- [DATA_EXFILTRATION]: The skill includes screenshot and OCR features to enable GUI automation. While these tools allow the agent to read sensitive information visible on the display, this is the intended functionality. The
oi_os_mode.pyscript communicates task data to the Anthropic API (a well-known service) to facilitate autonomous desktop tasks.
Audit Metadata