apple-photos
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple local shell scripts (e.g., photos-count.sh, photos-export.sh) to interface with the Apple Photos app. It explicitly instructs users to grant Full Disk Access to the terminal, a high-privilege permission that enables the agent to bypass macOS's standard privacy protections for user data.
- [DATA_EXFILTRATION]: The skill accesses the sensitive SQLite database of the Apple Photos application. This represents an exposure of private user data, including images, video metadata, face recognition records, and location history. The skill also includes commands to export these files to the local file system.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes potentially untrusted content from the Photos library database, such as person names or ML-generated content descriptions, which could contain malicious instructions. 1. Ingestion points: Output from the photos-search-content.sh and photos-list-people.sh scripts. 2. Boundary markers: None provided in the documentation. 3. Capability inventory: Local shell script execution and access to restricted system databases. 4. Sanitization: No sanitization or validation of data retrieved from the database is documented.
Audit Metadata