mac-cleanup
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill performs extensive destructive operations on the filesystem, including recursive deletion (
rm -rf) of caches, development artifacts (node_modules, .venv), and trash. It also utilizesosascriptto delete applications via Finder and executes complex package manager commands (e.g.,docker system prune,brew cleanup). While the skill includes internal 'Safety Rules', these are instructions to the AI agent and do not provide programmatic enforcement of safety constraints. - [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It ingests untrusted data from the local environment, including directory names, filenames, and application metadata retrieved via
brew info. This data is then summarized and processed by the AI agent to determine cleanup actions. Maliciously crafted filenames or metadata could trigger the agent to bypass its internal safety rules or execute unauthorized commands. - Ingestion points: Filesystem scan results from
scan.py, directory paths, and application descriptions frombrew. - Boundary markers: Absent. The skill does not define delimiters to separate untrusted data from the agent's instructions.
- Capability inventory: Includes recursive file deletion, application uninstallation, and package manager cache purging.
- Sanitization: Absent. There is no evidence of filtering or sanitization of strings discovered on the system before they are processed by the agent.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The skill attempts to execute a local Python script (
.agents/skills/mac-cleanup/scripts/scan.py) that is not included in the audited files. Running unverified scripts located in relative paths can lead to arbitrary code execution if the environment is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata