Security Audit

computer-use-agents

github.com/davila7/claude-code-templates

AI SkillCommit 458b11867eae

CAUTION

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

computer-use-agents received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Agent granted arbitrary shell execution capability.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

91%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

3 findings

Dynamic Code

2 findings

Excessive Permissions

2 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Agent granted arbitrary shell execution capability The `AnthropicComputerUse` example explicitly defines and uses `BetaToolBash20241022`, granting the AI agent the ability to execute arbitrary shell commands. While the skill emphasizes robust sandboxing as a critical mitigation, this capability inherently carries a critical risk of command injection and system compromise if the sandbox is imperfect, bypassed, or if the LLM generates malicious commands. This represents an excessive permission that requires extreme caution. Implement robust, multi-layered sandboxing (as described in the skill) to strictly limit the scope and impact of shell commands. Consider if arbitrary bash access is truly necessary; prefer more constrained, purpose-built tools or a highly restricted shell environment where possible. Ensure all inputs to the bash tool are rigorously validated and sanitized.	LLM	SKILL.md:130
HIGH	Agent captures and processes sensitive screen data Both `ComputerUseAgent` and `AnthropicComputerUse` examples demonstrate capturing screenshots of the entire desktop (`pyautogui.screenshot()` and `scrot`). This means the agent will have access to all visual information displayed on the screen, which can include sensitive personal data, credentials, or confidential information. While sandboxing and network isolation are prescribed, the inherent act of capturing this data introduces a high risk of data exfiltration if the agent's output or communication channels are compromised, or if the sandbox is breached. Ensure all captured screen data is processed and stored strictly within the sandboxed environment. Implement strict network egress filtering to prevent unauthorized transmission of this data. Consider redacting sensitive areas of the screen before processing, if feasible, or limiting screen capture to specific application windows rather than the entire desktop.	LLM	SKILL.md:28
HIGH	UI automation tools vulnerable to malicious input The `ComputerUseAgent` uses `pyautogui.typewrite` and `pyautogui.click` to interact with the desktop. If the `text` input for `typewrite` or the coordinates for `click` are derived from untrusted LLM output (potentially influenced by prompt injection), the agent could be manipulated to type malicious commands into a terminal, browser, or other application, or click on dangerous UI elements. This constitutes a command injection risk, even within a sandboxed environment, as the agent is still performing actions that could lead to further compromise or unintended behavior. Implement strict input validation and sanitization for all LLM-generated actions, especially text input and coordinates. Ensure the sandboxed environment is configured to minimize the impact of such actions (e.g., no internet access for browsers, limited shell access). Consider using a 'human-in-the-loop' for critical actions or implementing a whitelist of allowed text inputs/click regions.	LLM	SKILL.md:48
MEDIUM	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	cli-tool/components/mcps/devtools/figma-dev-mode.json:4
LOW	Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	cli-tool/components/mcps/devtools/jfrog.json:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/89570878897734c8.svg)](https://skillshield.io/report/89570878897734c8)