Skills
skills/sundial-org/awesome-openclaw-skills/icloud-findmy/Gen Agent Trust Hub

icloud-findmy

Warn

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Use of unsafe eval for data parsing. The skill instructs the agent to parse stringified Python dictionaries from the icloud CLI using eval(). This allows for arbitrary code execution if the input data, such as a device name, is manipulated to contain malicious Python code.
  • [EXTERNAL_DOWNLOADS]: Third-party library dependency. The skill requires the pyicloud package from PyPI. This is an unofficial community library that manages sensitive Apple ID authentication and session tokens.
  • [COMMAND_EXECUTION]: Shell command reliance. The skill uses shell tools like grep, sed, and icloud CLI. This increases the attack surface for command injection if input parameters are not correctly sanitized by the agent.
  • [DATA_EXFILTRATION]: Access to sensitive geographic data. The skill retrieves real-time GPS coordinates and battery status, which constitutes the handling of highly sensitive private information.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 21, 2026, 12:49 AM