Skills
skills/openai/skills/atlas/Gen Agent Trust Hub

atlas

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (MEDIUM): The skill executes a local Python script (atlas_cli.py) via the uv tool to control the ChatGPT Atlas application. This involves using AppleScript to manipulate application windows and tabs, which requires the user to grant Automation permissions in macOS system settings.
  • [DATA_EXFILTRATION] (MEDIUM): Accesses sensitive personal data located in ~/Library/Application Support/com.openai.atlas/browser-data/host/. The skill specifically reads SQLite databases for browser history and bookmarks. While this is aligned with the skill's primary stated purpose, it exposes comprehensive user browsing activity to the agent context.
  • [PROMPT_INJECTION] (LOW): Vulnerable to Indirect Prompt Injection (Category 8). The skill ingests untrusted data from browser history and bookmark titles/URLs. 1. Ingestion points: bookmarks and history CLI commands. 2. Boundary markers: Absent. 3. Capability inventory: Local script execution via uv run and UI automation via AppleScript. 4. Sanitization: No evidence of sanitization or instruction-filtering for the ingested metadata.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 05:48 PM