macos-contacts
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes contact information which represents an untrusted ingestion surface. If a contact record contains malicious instructions, it could lead to indirect prompt injection when the agent reads the data.
- Ingestion points: The scripts
scripts/applescripts/contact/get.applescriptandscripts/applescripts/contact/search.applescriptread names, notes, and other fields from the Contacts application into the agent's context. - Boundary markers: The skill uses a structured JSON envelope and explicitly separates data fields, which helps the agent distinguish between command output and data.
- Capability inventory: The skill possesses write capabilities including adding (
add.sh), editing (edit.sh), and deleting (delete.sh) contact records. - Sanitization: String data is escaped using a custom
jsonEscapefunction inscripts/applescripts/contact/_lib.applescriptto ensure the integrity of the JSON structure. - [COMMAND_EXECUTION]: The skill executes
osascriptto perform macOS automation tasks. - Evidence: Files such as
scripts/contacts.shand AppleScript files useosascriptanddo shell scriptto interact with the system. These operations are essential for the skill's purpose and utilize proper sanitization, such as thequoted form ofproperty in AppleScript, to prevent command injection from user-provided data.
Audit Metadata