clipboard

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes several shell commands including cat, pbcopy, rm, and the swift interpreter. It uses swift -e to execute dynamically generated code that interfaces with the macOS AppKit and NSPasteboard APIs to handle rich text formatting.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection when processing untrusted conversation data for clipboard operations.
  • Ingestion points: The skill retrieves and processes the 'most recent relevant text block' directly from the conversation history (SKILL.md).
  • Boundary markers: The skill uses single-quoted heredocs (e.g., <<'CLIPBOARD') to enclose user text. While this prevents shell variable expansion, it does not prevent an attacker from terminating the heredoc early by including the literal delimiter string in their message.
  • Capability inventory: The agent can write files to the /tmp directory, execute shell commands, and run arbitrary Swift code via the CLI (SKILL.md).
  • Sanitization: While the instructions suggest using single-quoted delimiters as a safety measure, there is no requirement to sanitize the input for the delimiters themselves, which can lead to command injection if the input text escapes the cat command.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 03:36 AM
Security Audit — agent-trust-hub — clipboard