macos-finder
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on
osascriptto execute AppleScript for all its core functions, including file system modifications (move, copy, rename, delete) and application control. While these are intended features for a Finder skill, they provide broad access to the user's files. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it retrieves and processes untrusted data from the local environment that an attacker could control.
- Ingestion points: File and folder names are retrieved in
scripts/item/list.applescriptandscripts/folder/list.applescript. Spotlight comments are retrieved inscripts/item/info.applescriptandscripts/item/comment.applescript. - Boundary markers: No delimiters or safety instructions are used when presenting these strings to the agent to distinguish between data and potential commands.
- Capability inventory: The skill possesses high-privilege capabilities including deleting files (
scripts/file/delete.applescript), emptying the trash (scripts/trash/empty.applescript), and launching applications (scripts/file/open.applescript). - Sanitization: The skill does not perform any sanitization, validation, or escaping of the metadata retrieved from the system before it is passed to the agent's context.
Audit Metadata