Security Audit

sundial-org/awesome-openclaw-skills:skills/apple-contacts

github.com/sundial-org/awesome-openclaw-skills

AI SkillCommit 6d998e005da6

CRITICAL

Scanned 27 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

sundial-org/awesome-openclaw-skills:skills/apple-contacts received a trust score of 42/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Potential AppleScript/Shell Command Injection via `osascript`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
CRITICAL	Potential AppleScript/Shell Command Injection via `osascript` The skill demonstrates the use of `osascript` to interact with macOS Contacts.app. If user-provided input (e.g., contact name, phone number, or any search query) is directly interpolated into the AppleScript string without proper sanitization, an attacker could inject arbitrary AppleScript commands or shell commands (via `do shell script`). This could lead to unauthorized data access, modification, or execution of malicious code on the user's system, as `osascript` runs with the user's permissions. Any user-provided input used to construct the `osascript` command string must be thoroughly sanitized before interpolation. This typically involves escaping single quotes (`'`) and other special characters relevant to AppleScript string literals to prevent breaking out of the intended string context. The LLM agent should be explicitly instructed on how to perform this sanitization (e.g., replacing `'` with `"&"'"&""`) before generating the `osascript` command.	LLM	SKILL.md:12

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/91f67902918b4af0.svg)](https://skillshield.io/report/91f67902918b4af0)