omnifocus
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the local OmniFocus SQLite database which contains private user information including tasks, notes, and project details.
- Evidence:
scripts/sqlite_reader.rbreads files from sensitive paths like~/Library/Caches/com.omnigroup.OmniFocus/OmniFocusDatabase2and application containers. - [COMMAND_EXECUTION]: The skill uses
osascriptto execute dynamically constructed AppleScript and JavaScript (JXA) strings to automate the OmniFocus application. - Evidence:
scripts/applescript_client.rbandscripts/omni_automation.rbgenerate script strings incorporating user-provided data and execute them via system shell backticks. - [PROMPT_INJECTION]: The skill is exposed to indirect prompt injection as it ingests and processes untrusted content from the user's OmniFocus database.
- Ingestion points: Task names, notes, and project descriptions retrieved from the local database in
scripts/omnifocus_manager.rb. - Boundary markers: While the output is formatted as JSON, the individual text fields do not include delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has the capability to modify the local database, create new tasks, and execute shell commands through the Ruby environment.
- Sanitization: The code uses
Shellwords.escapeto prevent shell injection but does not filter for malicious natural language instructions within the retrieved data.
Audit Metadata