automating-mac-apps
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect prompt injection surface identified in recipes that process untrusted external data. \n
- Ingestion points: The skill reads external data such as email subjects and senders (references/mail.md), calendar event titles (references/calendar-notes.md), and meeting transcripts (references/meeting-automation-playbook.md). \n
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the provided examples. \n
- Capability inventory: The skill includes capabilities to send emails (msg.send()), write files (writeToFile), and execute shell commands (do shell script). \n
- Sanitization: No sanitization of ingested external content is demonstrated before it is used in follow-up actions like drafting emails or creating action items.
- [COMMAND_EXECUTION] (LOW): The skill provides patterns for executing shell commands via AppleScript and JXA. \n
- Evidence: Recipes in references/basics.md and references/finder.md demonstrate the use of 'do shell script'. \n
- Context: The risk is mitigated by the documentation's emphasis on security best practices, such as using 'quoted form of' in AppleScript and 'shQuote()' in JXA to prevent command injection.
- [DATA_EXFILTRATION] (SAFE): The skill accesses sensitive user data repositories as part of its intended functionality. \n
- Evidence: Recipes explicitly target the Mail, Notes, and Calendar apps to read messages and events. \n
- Context: This access is consistent with the skill's purpose for macOS automation. No evidence of unauthorized network transmission or exfiltration to external domains was identified.
Audit Metadata