macos-safari
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local files containing user browsing data.
- Evidence in
SKILL.md: Usessqlite3to query~/Library/Safari/History.dbfor visit titles and URLs. - Evidence in
SKILL.md: Usesplutilto read and search~/Library/Safari/Bookmarks.plist. - [REMOTE_CODE_EXECUTION]: The skill can execute arbitrary JavaScript within the context of any open web page.
- Evidence:
scripts/javascript/run.applescriptuses thedo JavaScriptcommand to run code provided as an argument. - [COMMAND_EXECUTION]: The skill makes extensive use of the
osascriptcommand to control system applications and behavior. - Evidence: Multiple scripts in the
scripts/directory useosascriptto manage tabs, windows, and URLs. - Evidence:
scripts/tab/email-contents.applescripttriggers the Mail application to process the current tab content. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection when processing untrusted content from the web.
- Ingestion points:
scripts/tab/source.applescript(HTML source),scripts/tab/title.applescript(page titles), andscripts/tab/list.applescript(tab names and URLs). - Boundary markers: No explicit delimiters or "ignore embedded instructions" warnings are used when the agent retrieves web content.
- Capability inventory: The skill has the ability to execute JavaScript, open arbitrary URLs, and read sensitive local files (
History.db,Bookmarks.plist). - Sanitization: There is no evidence of sanitization or validation of the data retrieved from web pages before it is returned to the agent context.
- [EXTERNAL_DOWNLOADS]: The skill's documentation suggests installation via external package managers.
- Evidence in
README.md: Instructions for installation usingnpxandskills.sh.
Audit Metadata