karabiner
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
sudofor administrative operations, such askarabiner_cli --copy-current-profile-to-system-default-profile. Executing commands with root privileges allows for system-wide configuration changes that could affect keyboard behavior for all users on the device. - [COMMAND_EXECUTION]: The skill documents the
karabiner_cli --eval-jscommand, which executes JavaScript code using an embedded engine. This presents a dynamic execution vector that could be used to run arbitrary logic if the script path is manipulated. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it reads and processes configuration data from local files that could contain malicious instructions.
- Ingestion points: Reads configuration data from
~/.config/karabiner/karabiner.jsonand external rule assets in~/.config/karabiner/assets/. - Boundary markers: Absent; the skill does not provide delimiters or instructions to ignore commands or instructions embedded within the configuration files.
- Capability inventory: The skill has access to the
Bashtool for running CLI commands and theEdittool for modifying system-level keyboard configuration. - Sanitization: Absent; there is no evidence of validation or filtering for the content of the configuration files before they are processed by the agent.
Audit Metadata