The Agent Skills Directory

[COMMAND_EXECUTION]: Multiple scripts, including photos-search-person.sh, photos-search-date.sh, and photos-export.sh, directly interpolate user-provided arguments into shell commands and SQLite queries without sanitization. This allows for SQL injection or command manipulation.
[REMOTE_CODE_EXECUTION]: The photos-search-content.sh script is vulnerable to AppleScript injection. The $QUERY variable is placed inside a double-quoted AppleScript string executed via osascript. An attacker could break out of this string and use the do shell script command to execute arbitrary shell commands on the host machine.
[DATA_EXFILTRATION]: The skill accesses highly sensitive personal data stored in the Apple Photos library database (~/Pictures/Photos Library.photoslibrary/database/Photos.sqlite), including facial recognition identification. Furthermore, scripts/photos-info.sh explicitly extracts and displays latitude and longitude coordinates (GPS data) associated with assets.
[PROMPT_INJECTION]: The skill has a surface for indirect prompt injection. It ingests untrusted data from the user's photo library (such as filenames and person names) and presents it to the agent. Because the skill possesses capabilities to execute shell commands and write to the file system, a malicious entry in the library could be used to influence the agent's behavior. Evidence: Ingestion points include SQLite results in photos-recent.sh and photos-list-people.sh; no boundary markers or sanitization logic are present; capabilities include subprocess calls to sqlite3, osascript, and magick across the script suite.

apple-photos