macfig
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses direct interpolation of the
$ARGUMENTSvariable into a Bash command string:macfig list $ARGUMENTS 2>&1. If the underlying platform does not sanitize user input before substituting this variable, an attacker could potentially execute arbitrary shell commands by including metacharacters such as semicolons, pipes, or ampersands in their request (e.g.,; rm -rf /). - [EXTERNAL_DOWNLOADS]: The skill instructs users to install an external utility via
brew install lu-zhengda/tap/macfig. This tool is hosted in a personal Homebrew tap belonging to the skill author (lu-zhengda). This is documented as a vendor-specific resource. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes data from the local system's preferences (macOS defaults) and interprets it without strict boundaries.
- Ingestion points: The skill reads system data using
macfig list $ARGUMENTS,macfig get, andmacfig search(SKILL.md). - Boundary markers: Absent. The output from the tool is passed directly to the agent for analysis without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has the capability to write and modify system configuration via
Bash(macfig:*)(SKILL.md). - Sanitization: There is no evidence of sanitization or validation for the values retrieved from the system defaults before they are processed by the agent.
Audit Metadata