Simular Sai Agent Security Risks

Computer Agents sai.work Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (3) ATTACK SURFACE (5.82) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.68
High
Attack Surface
5.82
High
Blast Radius
6.75
High
Defense Controls
3
Critical
About The Agent

Simular Sai is an autonomous computer-use agent that operates a cloud-hosted virtual desktop on behalf of the operator, executing tasks through GUI interaction, browser automation, terminal commands, and code execution. The agent runs as an always-on daemon with approval-based controls covering only an undefined subset of critical actions while routine desktop operations proceed autonomously. The primary risk surface is unrestricted code execution with user-level privileges combined with the absence of documented input validation, output filtering, or behavioral monitoring on the default configuration.

About the AI Risk Quadrant

Exposed Giants characterizes agents with elevated blast radius and attack surface that outpace the documented defense controls available to the operator. Simular Sai places here because its five-of-six blast factors score at the architectural maximum while defense controls total only three points across five components, all at approximate confidence. The operator inherits a full-desktop compromise surface where most attack vectors reach the execution layer without interruption, and the available defenses are neither independently verified nor comprehensively documented.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Simular Sai combines unrestricted desktop execution authority with minimal documented defenses, creating a deployment where the operator inherits full-host blast radius with limited visibility into autonomous agent behavior.

Key Input Risks
The agent ingests chat instructions, web page content, uploaded documents, and observed GUI elements through channels with no documented input validation or instruction hierarchy. Visual prompt injection research demonstrates adversarially crafted screen content can hijack computer-use agents at rates exceeding 50 percent, with no vendor-documented content filtering layer interrupting this path. [3] [4]
Key Execution Risks
The underlying framework executes arbitrary Python and Bash code with the same permissions as the host user, and the README explicitly warns operators to run only in trusted environments. No sandbox, capability restriction, or execution boundary is documented for the production service beyond the vendor-described virtual desktop, whose isolation tier has not been independently verified or publicly red-teamed. [8] [11]
Key Action Risks
The agent operates autonomously around the clock with approval required only for an undefined subset of critical actions, while routine desktop operations proceed without authorization. The highest-blast-radius scope held by default is unrestricted shell access on the virtual desktop with full user-level privileges and no documented action taxonomy limiting which operations require consent. [7] [11]
Key Output Risks
No output filtering, data loss prevention, or content inspection is documented between the reasoning loop and any output channel including email, file uploads, API calls, and clipboard writes. Untrusted output from the agent can reach downstream consumers through any network-connected application on the virtual desktop without passing through a documented sanitization or redaction layer. [7] [1]
Key Monitoring Risks
No audit logging specification, anomaly detection system, or behavioral monitoring documentation exists for the production service. The operator's blind spot covers all routine agent actions — file operations, network requests, and credential accesses proceed with no detection of policy violations, no SIEM integration, and no forensic trail beyond the approval mechanism's undefined critical-actions subset. [7] [2]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Simular Sai presents an elevated composite risk driven by near-ceiling attack and blast scores that the minimal documented defenses do little to offset.

AIRQ Metrics

The agent lands in the Exposed Giants quadrant, meaning the operator inherits high exposure and blast potential that the documented defenses cannot adequately offset — requiring significant external hardening before production use.

Attack Surface and Blast Radius are each scored out of 10, Defense Controls out of 15, and the AIRQ composite integrates all three into a single operator-facing risk indicator.

Metric Score Comments
AIRQ Score 4.68 Elevated composite reflecting high attack exposure and blast potential with minimal defense offset from documented controls.
Blast Radius 6.75 / 10 Desktop-level compromise scope with code execution, file system, network, and credentials accessible but no infrastructure or deployment pipeline access.
Attack Surface 5.82 / 10 Most surfaces at architectural maximum driven by unrestricted tool execution, unvalidated inputs, and always-on autonomous operation.
Defense Controls 3 / 15 Three partial-confidence controls documented with no independent verification; the defense total reflects vendor-described capabilities awaiting external audit.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Simular Sai's reasoning loop ingests unvalidated chat, web, document, and GUI content while executing arbitrary code on the operator's virtual desktop through channels with no documented filtering.

Attack Surface Metrics

Eight of ten surfaces score at or above the high-risk threshold, with Tool Execution at the architectural ceiling and only Inter-Agent scoring low due to single-agent default operation.

Each row scores the entry point's exposure from zero (not present) to four (unrestricted, documented, and independently confirmed), with Comments citing the agent-specific evidence anchoring the assessment.

Surface Score Comments
User Input 3 / 4 Chat instructions, GUI observations, and file uploads enter the reasoning loop without documented content filtering or prompt injection detection. [7] [3]
External Data 3 / 4 Web pages, documents, and email content are fetched and processed without validation pipelines or source reputation scoring on any ingestion channel. [7] [4]
Memory 3 / 4 Continual learning and workflow codification write persistently across sessions without documented integrity verification, creating a durable cross-session poisoning surface. [7] [12]
Reasoning 3 / 4 Delegated reasoning to interchangeable external LLMs with opaque decision boundaries and no documented chain-of-thought verification or reasoning-loop isolation controls. [11] [8]
Planning 3 / 4 Autonomous task decomposition executes in the background with approval covering only undefined critical actions, leaving the planning horizon unbounded for routine operations. [7] [5]
Tool Execution 4 / 4 Arbitrary Python and Bash execution with full user-level permissions; the framework README warns to use only in trusted environments due to unrestricted code execution. [8] [11]
Orchestration 3 / 4 Always-on daemon with headless background execution and webhook triggers for pipeline automation, with no documented rate limiting or circuit breakers on the loop. [7] [6]
Inter-Agent 1 / 4 No multi-agent communication protocol documented in the current architecture; the assessed deployment operates as a single autonomous agent without inter-agent message passing. [7]
Output Processing 3 / 4 GUI interaction, file writes, clipboard access, and network requests proceed without documented output filtering or data loss prevention between reasoning and execution. [1] [10]
Configuration 2 / 4 API keys in environment variables and OAuth tokens through standard flows with no documented secrets rotation or configuration drift detection mechanisms. [7] [9]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Simular Sai reads arbitrary web content and user documents, accesses private files and OAuth-scoped calendar data, and transmits through unrestricted browser, terminal, and API egress channels on its default configuration.

Lethal Trifecta · Complete (3 of 3)

Simular Sai exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Web pages, email content, and third-party documents enter the reasoning loop from sources external to the operator without content validation. [7]
  • Sensitive data — Private files on the virtual desktop, Google Calendar events through OAuth scopes, and stored API credentials are accessible to the agent runtime. [9]
  • External egress — Unrestricted outbound network through browser navigation, terminal utilities, email sending, and API client libraries with no documented egress filtering. [7]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Compromise of Simular Sai yields full virtual desktop access including unrestricted code execution, file system writes, network connectivity, and stored credential exposure at user privilege level.

Blast Radius Metrics

Five of six blast factors score at the maximum documented band, with only Deployment Access scoring low due to the absence of CI/CD or infrastructure provisioning capabilities.

Each factor measures the maximum damage an attacker achieves through the compromised agent, scored from zero (no access) to four (unrestricted verified access).

Factor Score Comments
Code execution 3 / 4 Full shell with user-level privileges enables arbitrary code including package installation and process management without sandboxing or capability restrictions. [8] [11]
File system access 3 / 4 Complete read-write access to the virtual desktop file system through both the automation API and direct shell commands with no path restrictions. [10] [7]
Network access 3 / 4 Unrestricted outbound connectivity through browser, terminal utilities, and API libraries on the always-on cloud VM with no documented egress filtering. [7]
Credential access 3 / 4 Google Calendar OAuth tokens, environment-stored API keys, and any credentials on the virtual desktop are accessible within the agent execution context. [7] [9]
Autonomous action 3 / 4 Continuous operation with the approval gate limited to a vendor-defined critical subset; file manipulation, web interaction, and application control proceed without per-action consent. [7] [11]
Deployment access 1 / 4 No documented CI/CD pipeline access or infrastructure provisioning capability; desktop operations are bounded to the operator virtual machine scope. [7]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Simular Sai documents three partial-confidence defense components on its default configuration while publishing no information about input guardrails or output filtering.

Defense Controls Metrics

Two components score zero with unknown confidence, and three score one with approximate confidence, indicating vendor-described capabilities with no independent verification.

Each component is scored from zero (nothing documented) to three (independently verified and active by default), with confidence markers indicating evidence quality.

Component Score Comments
Input Guardrails 0 / 3 No documented input validation, prompt injection detection, or content filtering on any channel; vendor publishes no information about input-layer defenses. [7] [3]
Execution Isolation 1 / 3 Vendor describes a private virtual desktop as the isolation boundary, but no container specification, hypervisor guarantee, or independent audit is published. [8] [7]
Action Controls 1 / 3 Approval-based control documented for critical actions, but the criticality threshold and action taxonomy are unpublished; routine operations execute without consent. [7] [11]
Output Guardrails 0 / 3 No output filtering, data loss prevention, or egress monitoring documented for any output path; the vendor security posture omits any mention of outbound content inspection. [7] [1]
Monitoring 1 / 3 Session visibility implied through approval prompts and task reporting, but no audit logging specification or anomaly detection documentation is published. [7] [9]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Priority hardening targets execution isolation and egress control, where the gap between the agent's unrestricted capability and the documented defense layer is widest.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all external content to pass through a prompt injection detection service before reaching the reasoning loop — counters unvalidated web and document ingestion.
  • Configuration Configure content-type allowlisting on file ingestion to reject executable formats and active content from the processing pipeline — counters broad format acceptance.
  • Engineering Deploy an instruction hierarchy separating operator-level system prompts from user-level and content-level inputs with priority enforcement — counters absent instruction separation.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate that the virtual desktop runtime uses a hardened container with seccomp profiles and dropped capabilities — counters unrestricted shell access at user privilege.
  • Configuration Implement per-session filesystem snapshots with rollback so unauthorized writes are detectable within the session boundary — counters persistent modification without integrity checks.
  • Engineering Restrict network egress from the execution environment to a pre-approved domain allowlist using hypervisor-level firewall rules — counters unrestricted outbound connectivity.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Deploy a proxy layer that intercepts agent actions and enforces an operator-defined action policy before execution — counters the opaque vendor approval threshold.
  • Configuration Implement per-action rate limiting with automatic escalation to human review when frequency exceeds baseline thresholds — counters unbounded autonomous operation.
  • Engineering Require explicit authorization for any action transmitting data outside the virtual desktop boundary including email and API calls — counters unmonitored egress.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Deploy data loss prevention between the reasoning loop and all output channels inspecting for credentials, personal data, and proprietary content — counters absent output filtering.
  • Configuration Implement clipboard isolation preventing sensitive data copying between applications without operator visibility — counters unrestricted clipboard access.
  • Engineering Add content signing to agent-authored communications so recipients distinguish agent-generated from operator-generated messages — counters impersonation risk.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Enable comprehensive audit logging of every agent action with immutable storage outside the agent write path — counters absent runtime observability.
  • Configuration Deploy behavioral anomaly detection baselining normal activity and alerting on deviations in action frequency or data volume — counters reliance on operator attention.
  • Engineering Integrate session recording with searchable replay for post-incident reconstruction of the full agent decision chain — counters opaque reasoning with no forensic trail.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Agent-S Website Security Audit Community-filed audit identifies six of seven recommended HTTP security headers missing on simular.ai, scoring 49 of 100 on security.
  2. Agent-S Responsible Disclosure Gap Security researcher reports inability to find a vulnerability disclosure mechanism, indicating no SECURITY.md or contact exists.

Selected Research

  1. VPI-Bench Visual Prompt Injection for Computer-Use Agents Benchmark of 306 test cases demonstrates up to 51 percent visual prompt injection success against computer-use agents with limited defenses.
  2. MIP against Agent Malicious Image Patches Demonstrates adversarially perturbed screen regions that hijack OS agents during benign execution, generalizing across prompts and configs.
  3. TOCTOU Attacks on GUI Agents Formalizes time-of-check-to-time-of-use vulnerabilities in GUI agent loops, achieving 100 percent redirection via focus manipulation.
  4. OWASP Top 10 for Agentic Applications Defines ten highest-impact threats for agentic AI including goal hijack and tool misuse applicable to computer-use agents.

Vendor Documentation

  1. Simular Sai Product Page Primary product documentation describing GUI-based computer use, approval controls, always-on execution, and virtual desktop architecture.
  2. Agent-S Open Source Framework Open-source framework documenting security warnings about arbitrary Python and Bash execution with user-level permissions and no sandbox.
  3. Simular Sai Privacy Policy Details data collection practices, Google API scope, secure server storage, and acknowledgment of transmission security limitations.
  4. Simulang Developer Documentation Desktop automation API reference documenting file write, GUI control, page content extraction, and clipboard access primitives.

Other Sources

  1. Governance Controls Feature Request Community contributor identifies computer-using agents as highest risk surface and proposes policy enforcement with signed audit trails.
  2. Simular Series A Announcement Describes hybrid neuro-symbolic architecture combining neural exploration, symbolic execution, and continual learning for the platform.