type4me-macos-voice-input
Fail
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to clone a repository from an untrusted source (
github.com/joewongjc/type4me) and execute bash scripts (scripts/build-sherpa.shandscripts/deploy.sh) directly from the cloned directory. This pattern allows for the execution of arbitrary code controlled by the repository maintainer. - [COMMAND_EXECUTION]: The documentation explicitly instructs users to execute the command
xattr -d com.apple.quarantine /Applications/Type4Me.app. This command manually removes the macOS security 'quarantine' attribute, effectively bypassing Gatekeeper protections designed to verify the source and integrity of downloaded applications. - [EXTERNAL_DOWNLOADS]: The skill directs the downloading of application binaries (DMG files) and Large Language Model (ASR) assets from external, non-official GitHub releases and third-party links.
- [PROMPT_INJECTION]: The skill defines 'Custom Processing Modes' that interpolate untrusted external data—such as
{selected}(active text selection) and{clipboard}(system clipboard content)—directly into LLM prompts without the use of boundary markers, delimiters, or sanitization logic. This creates a vulnerability to indirect prompt injection attacks where malicious text in the clipboard or selected text could manipulate the agent's behavior. - Ingestion points: Processes system clipboard and active text selection (
SKILL.mdunder 'Custom Processing Modes'). - Boundary markers: None identified in the prompt templates.
- Capability inventory: Performs text injection into active applications and network requests to ASR APIs.
- Sanitization: No escaping or validation is implemented for interpolated variables.
Recommendations
- AI detected serious security threats
Audit Metadata