computer-use

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The required runtime workflow repeatedly calls zero computer-use get-app-state and then reads the returned appState (accessibility tree) and screenshot for the target app; if the target app contains outsider-authored text (e.g., Slack messages, web page content, emails), that text becomes LLM-readable via the accessibility tree file and is therefore fed into the agent context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill repeatedly invokes "npx -p @vm0/cli" (which fetches and executes the @vm0/cli package from the npm registry, e.g. https://registry.npmjs.org/@vm0/cli) at runtime and all core commands rely on that fetched code, so remote code is executed during skill runtime.