macos-automator
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
execute_scripttool enables the execution of arbitrary AppleScript and JavaScript for Automation (JXA). Documentation examples explicitly show the use ofdo shell script, which allows for the execution of any system-level shell command. - [DATA_EXFILTRATION]: The skill has the capability to read sensitive information, such as system clipboard contents and active browser URLs. These capabilities, when paired with the ability to execute shell commands or interact with UI elements, provide a mechanism for data exposure.
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing untrusted data from the user's environment.
- Ingestion points: System clipboard contents (via AppleScript), browser tab information (via KB scripts), and UI element values (via
accessibility_query). - Boundary markers: The skill does not define specific delimiters or instructions to the agent to disregard instructions found within the ingested system data.
- Capability inventory: High-privilege tools include
execute_script(AppleScript/JXA/Shell) andaccessibility_query(UI control and value retrieval). - Sanitization: No sanitization or validation logic is present to filter or escape content retrieved from the system before it is presented to the agent.
Audit Metadata