atlas
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Data Exposure & Exfiltration (HIGH): The skill accesses highly sensitive user data by reading the browser's
History(SQLite) andBookmarks(JSON) files located in the~/Library/Application Support/com.openai.atlas/directory. - Evidence:
LOCAL_STATE_PATH,get_history_path(), andget_bookmarks_path()inscripts/atlas_common.pytarget known sensitive browser profile paths. - Command Execution (MEDIUM): The skill executes system-level commands using the
osascriptutility to control the Atlas application through AppleScript. - Evidence: The
run_applescriptand_run_applescript_rawfunctions inscripts/atlas_common.pyusesubprocess.runto callosascriptwith dynamically generated script strings. - Indirect Prompt Injection (LOW): The skill ingests untrusted data from browser history and bookmarks, which could contain malicious instructions designed to influence the agent's behavior when processed.
- Ingestion points: Browser
HistoryandBookmarksfiles read inscripts/atlas_common.py. - Boundary markers: Absent; no delimiters or instructions are used to separate user data from control logic.
- Capability inventory: Includes
osascriptexecution (system control) and file read access. - Sanitization: Absent; no evidence of data escaping or validation for content retrieved from browser history.
- Dynamic Execution (MEDIUM): The skill dynamically constructs and executes AppleScript code at runtime, which is a form of executable content generation.
- Evidence: The
tell_atlasfunction inscripts/atlas_common.pywraps arbitrary script bodies into application-specific AppleScript blocks.
Recommendations
- AI detected serious security threats
Audit Metadata