atlas
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
subprocess.runfunction to executeosascriptcommands, which run dynamically generated AppleScript to control the Atlas application. This allows for actions such as focusing windows, opening new URLs, and closing or reloading tabs. Executing shell-level commands is a high-privilege capability that presents a security risk if abused. - [DATA_EXFILTRATION]: The skill reads sensitive local files from the user's profile directory at
~/Library/Application Support/com.openai.atlas/. This includes accessing theHistorySQLite database to retrieve browsing records and theBookmarksJSON file. While the data is processed locally to answer user queries, accessing such information constitutes exposure of sensitive personal data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests data from external sources (browser history and bookmarks) that can contain attacker-controlled content.
- Ingestion points: The
scripts/atlas_cli.pyscript reads records from the AtlasHistorydatabase andBookmarksfile. - Boundary markers: The skill does not implement specific delimiters or instructions to help the agent distinguish between data content and system instructions when processing the retrieved records.
- Capability inventory: The skill possesses the capability to execute AppleScript commands via
subprocess.runto manipulate browser tabs and windows. - Sanitization: While the skill uses SQL parameterization and AppleScript string escaping to prevent technical injection into those languages, it does not sanitize the data against natural language prompt injection that could influence the agent's behavior.
Audit Metadata