macos-keychain
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill explicitly instructs on how to retrieve passwords in plaintext from the macOS Keychain using the
security find-generic-passwordcommand with the-wflag. This action exposes sensitive secrets directly to the agent's process and history. - [COMMAND_EXECUTION]: The skill encourages the use of system-level CLI tools (
security) via subprocess execution in scripts. This allows the agent to modify system security settings, add/delete certificates, and manipulate the Secure Enclave. - [DATA_EXFILTRATION]: Instructions are provided for exporting identities and certificates to external files (e.g.,
security export -t identities -o cert.p12). If an agent possesses network access, these exported private keys and certificates could be easily exfiltrated. - [CREDENTIALS_UNSAFE]: The documentation suggests using passphrases directly in CLI commands for certificate export (e.g.,
-P passphrase), which can lead to sensitive credentials being captured in process lists or shell history logs. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a high-risk capability surface by reading data from the Keychain. If an attacker places a malicious payload within a Keychain item's name or service field, the agent could potentially execute or follow instructions embedded in that retrieved data. Evidence: Ingestion points:
security find-generic-password. Boundary markers: None. Capability inventory:securityCLI subprocess execution. Sanitization: None.
Recommendations
- AI detected serious security threats
Audit Metadata