macos-safari
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses highly sensitive local databases containing the user's private data.
- Evidence: In SKILL.md, the skill reads ~/Library/Safari/History.db using sqlite3 to retrieve detailed browsing history.
- Evidence: In SKILL.md, the skill reads ~/Library/Safari/Bookmarks.plist using plutil to extract user bookmarks.
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary code within the browser context.
- Evidence: scripts/javascript/run.applescript uses the do JavaScript command to run any provided script in the active Safari tab.
- Evidence: SKILL.md includes examples for manipulating web forms and clicking buttons via injected JavaScript, which could be abused to perform actions on behalf of the user.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing untrusted data from external websites.
- Ingestion points: scripts/tab/source.applescript (reads page HTML) and scripts/javascript/run.applescript (reads innerText via JavaScript).
- Boundary markers: No delimiters or ignore instructions are present to separate untrusted data from agent instructions.
- Capability inventory: High-risk capabilities include sensitive file reading (sqlite3/plutil), browser navigation (open.applescript), and code execution (run.applescript).
- Sanitization: There is no evidence of sanitization or validation of the retrieved web content before it enters the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata