ios-device-automation

Pass

Audited by Gen Agent Trust Hub on May 27, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it processes visual content from the iOS device screen that may contain adversarial text.
  • Ingestion points: Screen content from the iOS device captured via the take_screenshot command and analyzed during act operations.
  • Boundary markers: There are no specified delimiters or instructions to help the model distinguish between UI labels and potential instructions embedded in images or web pages.
  • Capability inventory: The skill possesses extensive interaction capabilities, including tapping, typing, scrolling, and navigating system-level UI components.
  • Sanitization: No sanitization or filtering of the text extracted from the device screen is mentioned in the automation workflow.
  • [EXTERNAL_DOWNLOADS]: The skill retrieves the @midscene/ios package and its associated dependencies from the NPM registry during execution.
  • [COMMAND_EXECUTION]: Uses the Bash tool to execute CLI commands that manage the connection to the device and orchestrate the vision-driven automation steps.
  • [REMOTE_CODE_EXECUTION]: Dynamically executes the @midscene/ios package code obtained from the NPM registry using npx.
Audit Metadata
Risk Level
SAFE
Analyzed
May 27, 2026, 04:46 PM
Security Audit — agent-trust-hub — ios-device-automation