apple-contacts
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill provides legitimate functionality for managing macOS contacts using system-native automation via
osascript. - [COMMAND_EXECUTION]: The main script
scripts/contacts.shexecutesosascriptwith JavaScript for Automation (JXA). User-provided inputs (such as search queries or contact details) are passed as positional arguments to the JXA environment rather than being interpolated into the script text, which prevents command and script injection vulnerabilities. - [DATA_EXFILTRATION]: While the skill reads sensitive personal data from the Contacts database, it does not contain any network operations or mechanisms to exfiltrate this information. The data is returned locally to the agent in structured JSON format.
Audit Metadata