clipboard
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes several shell commands including
cat,pbcopy,rm, and theswiftinterpreter. It usesswift -eto execute dynamically generated code that interfaces with the macOSAppKitandNSPasteboardAPIs to handle rich text formatting. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection when processing untrusted conversation data for clipboard operations.
- Ingestion points: The skill retrieves and processes the 'most recent relevant text block' directly from the conversation history (SKILL.md).
- Boundary markers: The skill uses single-quoted heredocs (e.g.,
<<'CLIPBOARD') to enclose user text. While this prevents shell variable expansion, it does not prevent an attacker from terminating the heredoc early by including the literal delimiter string in their message. - Capability inventory: The agent can write files to the
/tmpdirectory, execute shell commands, and run arbitrary Swift code via the CLI (SKILL.md). - Sanitization: While the instructions suggest using single-quoted delimiters as a safety measure, there is no requirement to sanitize the input for the delimiters themselves, which can lead to command injection if the input text escapes the
catcommand.
Audit Metadata