macos-automator

Functionally correct for macOS automation but high-risk by design: the skill grants broad privileges (arbitrary AppleScript/JXA and shell execution, accessibility reads, filesystem and clipboard access) without described sandboxing, input validation, or KB provenance controls. That creates straightforward paths for credential harvesting and data exfiltration if a caller or the KB is malicious or compromised. No explicit malicious code was identified in the provided text, but operational and supply-chain mitigations are required before allowing untrusted callers to use this capability.