omnifocus-manager
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (LOW): This skill has an attack surface for indirect prompt injection because it reads user-generated content (task names, notes, and project names) and provides the agent with write capabilities to the same database.
- Ingestion points:
get_inbox.js,get_projects.js, andget_tags.jsread data from the local OmniFocus database. - Boundary markers: None are present to distinguish between task data and instructions.
- Capability inventory:
add_task.js,update_task.js, andcreate_tag.jsallow the agent to modify the local OmniFocus database. - Sanitization:
get_inbox.jstruncates notes to 200 characters, but no other sanitization or escaping of task content is performed. - Data Exposure & Exfiltration (SAFE): The scripts read data from OmniFocus, which is their primary purpose. There are no network operations (like
curlorfetch) or attempts to read sensitive system files (e.g., SSH keys, credentials). - Command Execution (SAFE): While the scripts are executed via
osascript, they do not spawn arbitrary shell commands or execute untrusted strings as code. Input is safely parsed usingJSON.parse(). - Obfuscation (SAFE): No evidence of Base64 encoding, zero-width characters, or homoglyph attacks was found in any of the scripts.
- Unverifiable Dependencies (SAFE): No external packages (npm/pip) are required or installed by these scripts.
Audit Metadata