reddit-post
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill uses
osascriptto execute shell commands that grant the AI agent direct control over the host's applications (Google Chrome), bypassing standard application sandboxing. - [REMOTE_CODE_EXECUTION] (HIGH): By using
execute javascriptvia AppleScript, the skill runs dynamically generated code within the context of an authenticated browser tab. This is a functional equivalent of a self-inflicted Cross-Site Scripting (XSS) attack facilitated by automation. - [CREDENTIALS_UNSAFE] (HIGH): The skill programmatically scrapes the
modhash(a CSRF security token) and session data fromreddit.com/api/me.json. This allows the agent to bypass Reddit's intended API security model and act as the user. - [DATA_EXFILTRATION] (MEDIUM): Private session information and server responses are extracted from the browser environment and passed back to the AI agent's context using the
document.titleside-channel. - [PRIVILEGE_ESCALATION] (MEDIUM): The skill requires the user to enable 'Allow JavaScript from Apple Events' in Chrome. This instruction lowers the security posture of the user's machine, allowing any local process to take full control of the browser session without further user interaction.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill reads data from browser tab titles.
- Ingestion points:
osascript -e '... return title of active tab'in Step 1 and 4. - Boundary markers: None. The agent blindly trusts the tab title as the result of its previous command.
- Capability inventory: Subprocess execution via
osascript, arbitrary JS execution. - Sanitization: None. A malicious website could change its title to influence agent logic.
Recommendations
- AI detected serious security threats
Audit Metadata