pasteboard-textinsertion
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). Evidence Chain:
- Ingestion points: The
VariableExpanderclass inSKILL.mdreads the entire system clipboard via the{{clipboard}}placeholder. - Boundary markers: Absent. There are no delimiters or instructions to treat the clipboard content as untrusted data.
- Capability inventory: The skill can simulate low-level keystrokes (
CGEvent), perform character-by-character typing, and directly modify UI element values viaAXUIElementSetAttributeValue. - Sanitization: Absent. Content from the clipboard is interpolated directly into the insertion string without escaping or validation.
- [COMMAND_EXECUTION] (HIGH): The use of
CGEventto simulate key presses allows the skill to bypass standard application safety boundaries. If an attacker-controlled string is processed, it could be used to simulateCmd+Space(Spotlight) followed by terminal commands, or other dangerous system-level interactions. - [DATA_EXPOSURE] (MEDIUM): The skill explicitly accesses sensitive user information, including the system clipboard's current content and the user's full name via
NSFullUserName(). While no exfiltration logic is present in this file, the exposure of this data to the agent's context increases the risk of exfiltration by other tools. - [PRIVILEGE_ESCALATION] (LOW): The skill requires macOS Accessibility permissions to function. While it correctly checks
AXIsProcessTrusted(), the requirement for these permissions grants the agent broad control over the user interface, which could be abused if the agent is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata