Skills
skills/hkuds/cli-anything/cli-anything-safari/Gen Agent Trust Hub

cli-anything-safari

Warn

Audited by Gen Agent Trust Hub on Apr 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill operates by spawning fresh subprocesses for tool invocations, specifically executing commands through npx safari-mcp.
  • [EXTERNAL_DOWNLOADS]: The skill is configured to automatically download and run the safari-mcp package from the npm registry upon its first use.
  • [REMOTE_CODE_EXECUTION]: Commands such as tool evaluate and tool run-script allow the execution of arbitrary JavaScript code within the context of the active Safari browser page.
  • [DATA_EXFILTRATION]: The toolset includes capabilities to access sensitive information, including browser cookies (get-cookies), local storage (local-storage), and the macOS system clipboard (clipboard-read).
  • [PROMPT_INJECTION]: As a browser automation harness, the skill has a significant attack surface for indirect prompt injection, where malicious instructions on a website could influence the agent's actions.
  • Ingestion points: Processes external data from URLs via commands like tool navigate and tool snapshot.
  • Boundary markers: The skill documentation references URL schema validation in utils/security.py to prevent access to dangerous protocols.
  • Capability inventory: Includes the ability to write files (save-pdf), execute JavaScript (evaluate), and modify the system clipboard.
  • Sanitization: Implements validation to block dangerous schemes such as file:, javascript:, and data:, and can optionally block private network access.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 18, 2026, 12:02 PM