AgentReadyHomeAgent Listing

← capture-screen

capture-screen — agentic threat model

8.4AIVSS 8.4 · High

This agent skill presents high local risk due to its ability to execute arbitrary AppleScript, discover window IDs, and capture host screen contents, effectively acting as a potential vector for local privilege escalation, data exfiltration, and host desktop control if compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.8AARS uplift 0.55Factor sum 2.4/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying foundation model used to drive this skill. If an unaligned or vulnerable model is used, it could be manipulated via prompt injection to capture sensitive windows or execute unauthorized AppleScript commands.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No dedicated RAG or vector database is mentioned. However, the agent handles highly sensitive transient data by capturing raw screen images and window metadata, which could be leaked if not securely handled in memory.

L3 · Agent Frameworks✓ mapped

The agent framework directly integrates with macOS APIs (CGWindowListCopyWindowInfo) and AppleScript. The primary threat is insecure tool integration, where malicious inputs could manipulate the AppleScript execution to target unauthorized applications or perform unintended UI interactions.

L4 · Deployment & Infrastructure✓ mapped

The agent runs directly on the host macOS desktop with CLI and AppleScript access. This presents a severe host compromise and privilege escalation risk if the execution environment is not strictly sandboxed or restricted via macOS TCC (Transparency, Consent, and Control) permissions.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of logging, guardrails, or observability mechanisms to monitor which windows are being targeted or to detect anomalous screen capture patterns.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No identity, authorization policies, or compliance controls are described. The agent appears to run with the permissions of the host user, lacking fine-grained access control over which applications it can control.

L7 · Agent Ecosystem✓ mapped

As an open-source community agent skill, it is highly susceptible to supply chain risks or being integrated into larger, multi-agent workflows where a compromised orchestrator could abuse this skill to silently spy on the user's desktop.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).