macos-say
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The documentation guides the agent to use the macOS 'say' command. If implemented via a shell interface without proper escaping, an attacker can exploit this to execute arbitrary code. Additionally, the '-f' flag allows reading from arbitrary files, which could be abused to expose sensitive local data.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted text input through a command-execution capability. 1. Ingestion points: Text strings passed to the 'say' utility in SKILL.md. 2. Boundary markers: Absent; no delimiters are used to separate user input from the command structure. 3. Capability inventory: Execution of shell commands (specifically the 'say' utility). 4. Sanitization: Absent; no escaping or validation of the input text is mentioned or required by the documentation.
Recommendations
- AI detected serious security threats
Audit Metadata