apple-voice-memos
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive macOS system directories containing private user communications and recording metadata.
- Evidence: The script
scripts/extract-apple-voice-memos-metadataqueries the SQLite database located at~/Library/Group Containers/group.com.apple.VoiceMemos.shared/Recordings/CloudRecordings.db. - Evidence: The script
scripts/extract-apple-voice-memos-transcriptreads binary.m4afiles from the same private directory. - Context: While these operations are necessary for the skill's purpose, they involve direct access to sensitive user data and personal records.
- [PROMPT_INJECTION]: The skill processes voice memo transcripts and passes them to an LLM subagent for further processing, which is a vector for indirect prompt injection.
- Ingestion points:
scripts/extract-apple-voice-memos-transcript(processes external audio data into text). - Boundary markers: The skill uses a
## Transcriptheader inPROMPT.mdto separate the transcript from instructions, but does not provide explicit instructions to ignore embedded commands. - Capability inventory: The agent has access to the
Bashtool and custom scripts that can read from the filesystem. - Sanitization: There is no evidence of sanitization or filtering applied to the transcript content to prevent malicious instructions from being executed by the subagent.
Audit Metadata