macos-shortcuts
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill provides an interface to the native macOS
shortcutsbinary. All commands described (list, view, run) are standard system operations for macOS automation. - [PROMPT_INJECTION] (LOW): Identified a surface for Indirect Prompt Injection (Category 8) where malicious content could be introduced via system data.
- Ingestion points: The agent ingests untrusted data from the output of
shortcuts listandshortcuts runcommands (found in SKILL.md and examples.md). - Boundary markers: Absent. There are no instructions to the agent to treat command output as data only or to ignore embedded instructions.
- Capability inventory: The agent has the capability to execute shell commands, read/write files, and perform batch operations using loops.
- Sanitization: No sanitization or validation of the shortcut names or output content is performed before the agent processes them.
- [DYNAMIC_EXECUTION] (LOW): The examples (examples.md) encourage the agent to generate and execute shell scripts (e.g.,
forloops andtarcommands) at runtime. While these are standard automation patterns, they require the agent to correctly escape file names to prevent command injection via malicious metadata or filenames.
Audit Metadata