osascript

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill can run arbitrary AppleScript via osascript and explicitly mentions interacting with Safari, which allows fetching and reading arbitrary web pages/URLs (untrusted third‑party content) that the agent could be asked to read and interpret.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The skill allows running arbitrary AppleScript/osacript to control macOS and applications (which can change system and app state), but it does not explicitly instruct obtaining sudo, editing privileged system files, or creating users, so it poses some but not high explicit risk.