open-interpreter

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the subprocess module to interact with system utilities and bridge logic between sibling scripts. For instance, oi_screenshot.py executes system commands like screencapture (macOS) and scrot (Linux), while oi_type.py uses osascript to handle keyboard hotkeys on macOS. All such calls utilize list-based arguments, which effectively mitigates shell injection risks.
  • [EXTERNAL_DOWNLOADS]: The oi_install.sh script automates the setup process by downloading the open-interpreter package and its dependencies (such as pyautogui, pytesseract, and pyperclip) from the official Python Package Index (PyPI). This is standard behavior for configuring the skill's environment.
  • [PROMPT_INJECTION]: The skill's architecture involves reading screen content via OCR (oi_find_text.py) and vision, which introduces a surface for indirect prompt injection. If a malicious webpage or document is open on the screen, the agent might interpret processed text as instructions.
  • Ingestion points: Screen content processed through oi_screenshot.py and oi_find_text.py (OCR).
  • Boundary markers: No specific delimiters are implemented to separate screen text from system instructions.
  • Capability inventory: High-impact GUI capabilities including mouse control, keyboard input, and autonomous execution loops.
  • Sanitization: Screen content is processed as raw data without specific filtering for instruction-like patterns. This risk is inherent to the skill's primary purpose and is partially mitigated by the human-in-the-loop safety model described in the documentation.
  • [DATA_EXFILTRATION]: The skill includes screenshot and OCR features to enable GUI automation. While these tools allow the agent to read sensitive information visible on the display, this is the intended functionality. The oi_os_mode.py script communicates task data to the Anthropic API (a well-known service) to facilitate autonomous desktop tasks.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:39 PM
Security Audit — agent-trust-hub — open-interpreter