Skills
skills/vinitu/macos-safari-skill/macos-safari/Gen Agent Trust Hub

macos-safari

Warn

Audited by Gen Agent Trust Hub on Mar 22, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses highly sensitive local databases and files related to the user's web browsing activity.
  • Evidence: The skill provides commands to read ~/Library/Safari/History.db using sqlite3 to extract visit titles and URLs.
  • Evidence: The skill converts and searches ~/Library/Safari/Bookmarks.plist using plutil, exposing user bookmarks.
  • [COMMAND_EXECUTION]: The skill makes extensive use of system utilities to control applications and manipulate data.
  • Evidence: Uses osascript to drive Safari automation, which includes the capability to do JavaScript, allowing for arbitrary code execution within the context of any open web page.
  • Evidence: Uses screencapture to take screenshots of the browser window, which may contain sensitive information.
  • Evidence: Uses sqlite3 and plutil to interact with system files and databases.
  • [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection because it ingests and processes untrusted data from external websites.
  • Ingestion points: scripts/tab/source.applescript (fetches raw HTML source) and scripts/javascript/run.applescript (fetches page text).
  • Boundary markers: None identified; the skill returns raw content from the browser directly to the agent's context.
  • Capability inventory: Access to system-level automation via AppleScript, the ability to read private browser data (history/bookmarks), and the ability to perform actions in the browser (JS execution).
  • Sanitization: No sanitization, filtering, or validation is performed on the content retrieved from web pages before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 22, 2026, 04:27 PM
Security Audit — agent-trust-hub — macos-safari