Trust Assessment
turix-mac received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Direct Prompt Injection into Desktop Automation Agent, Agent with Full Desktop Control and Screen Recording Capabilities, Potential Data Exfiltration via Malicious Prompt.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Prompt Injection into Desktop Automation Agent The `TASK_DESCRIPTION` variable, which captures all arguments passed to the `run_turix.sh` script (and thus user input), is directly injected into the `config.json` file as the `agent.task` without any sanitization. This `agent.task` is then consumed by the TuriX Computer Use Agent, which is designed to control the macOS desktop visually. This allows an attacker to inject malicious instructions or manipulate the agent's behavior, potentially leading to arbitrary actions on the user's system. Implement robust input validation and sanitization for the `TASK_DESCRIPTION` before it is written to the configuration file and consumed by the TuriX agent. If TuriX is an LLM, employ prompt templating, input/output filtering, and sandboxing techniques. Consider a human-in-the-loop approval process for sensitive commands. | LLM | scripts/run_turix.sh:17 | |
| CRITICAL | Agent with Full Desktop Control and Screen Recording Capabilities The TuriX Computer Use Agent is explicitly designed to "control the macOS desktop visually" and requires "Screen Recording" permissions. When combined with the direct prompt injection vulnerability (SS-LLM-001), this grants an attacker the ability to command the agent to perform virtually any action on the user's system, including interacting with applications, accessing files, and observing sensitive information displayed on the screen. This broad scope of permissions creates a high-impact attack surface. Implement a strict capability-based security model for the TuriX agent, limiting its actions to the absolute minimum necessary. Run the agent in a highly sandboxed environment with restricted privileges. Introduce explicit user confirmation for any action that modifies system state, accesses sensitive data, or interacts with critical applications. | LLM | SKILL.md:10 | |
| HIGH | Potential Data Exfiltration via Malicious Prompt Due to the direct prompt injection vulnerability (SS-LLM-001) and the agent's excessive permissions (SS-LLM-005) to control the macOS desktop and access files, a malicious prompt can instruct the TuriX agent to locate, read, and transmit sensitive user data. The skill's own examples, such as "Find the latest invoice in my email and upload it to the company portal," demonstrate its capability to interact with files and network resources, making data exfiltration a credible threat. Implement strict data access controls for the agent. Restrict network egress to approved endpoints. Introduce a human-in-the-loop approval for any data transfer operations. Sanitize and validate all user input to prevent malicious instructions. | LLM | SKILL.md:24 | |
| HIGH | Potential Credential Harvesting via Malicious Prompt Leveraging the direct prompt injection vulnerability (SS-LLM-001) and the agent's excessive permissions (SS-LLM-005) to visually control the macOS desktop, an attacker could craft a prompt to instruct the TuriX agent to harvest credentials. This could involve navigating to login forms, interacting with password managers, or extracting sensitive information displayed in terminal windows or other applications. Implement strict UI interaction policies for the agent, especially concerning sensitive input fields. Prevent the agent from interacting with credential managers or displaying sensitive information. Introduce a human-in-the-loop approval for any actions that might expose credentials. Sanitize and validate all user input to prevent malicious instructions. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/3e33031424be1e32)
Powered by SkillShield