ios-device-automation
Pass
Audited by Gen Agent Trust Hub on May 27, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it processes visual content from the iOS device screen that may contain adversarial text.
- Ingestion points: Screen content from the iOS device captured via the take_screenshot command and analyzed during act operations.
- Boundary markers: There are no specified delimiters or instructions to help the model distinguish between UI labels and potential instructions embedded in images or web pages.
- Capability inventory: The skill possesses extensive interaction capabilities, including tapping, typing, scrolling, and navigating system-level UI components.
- Sanitization: No sanitization or filtering of the text extracted from the device screen is mentioned in the automation workflow.
- [EXTERNAL_DOWNLOADS]: The skill retrieves the @midscene/ios package and its associated dependencies from the NPM registry during execution.
- [COMMAND_EXECUTION]: Uses the Bash tool to execute CLI commands that manage the connection to the device and orchestrate the vision-driven automation steps.
- [REMOTE_CODE_EXECUTION]: Dynamically executes the @midscene/ios package code obtained from the NPM registry using npx.
Audit Metadata