wispr-flow
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The documentation file 'docs/local-data-sources.md' provides specific paths and SQL queries for the agent to access highly sensitive local macOS databases beyond the skill's primary scope. Evidence includes paths for iMessage ('
/Library/Messages/chat.db'), Contacts ('/Library/Application Support/AddressBook/AddressBook-v22.abcddb'), and Apple Notes ('~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite'). - [COMMAND_EXECUTION]: The skill uses Python scripts and direct shell commands ('sqlite3', 'open') to interact with databases and files. Scripts such as 'create-dashboard.py', 'get-stats.py', and 'search-history.py' construct SQL queries using f-strings with user-supplied parameters, making them vulnerable to SQL injection.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it processes user-dictated text ('formattedText') from the Wispr Flow database. 1. Ingestion points: 'History' table in 'flow.sqlite' accessed via 'scripts/search-history.py' and 'scripts/get-stats.py'. 2. Boundary markers: None identified. 3. Capability inventory: Subprocess calls to 'sqlite3' and 'open', and local file writing for exports. 4. Sanitization: Inadequate; while 'search-history.py' performs basic character replacement, the scripts rely on unsafe f-string interpolation for query building.
- [EXTERNAL_DOWNLOADS]: The script 'scripts/create-dashboard.py' references the Chart.js library from 'https://cdn.jsdelivr.net/npm/chart.js'. This is a well-known service used for visualization purposes and is documented neutrally.
Recommendations
- AI detected serious security threats
Audit Metadata