ClawHub

Apple Contacts

Security checks across malware telemetry and agentic risk

Overview

This skill transparently provides a macOS Contacts CLI with sensitive read/write powers, and I found no hidden exfiltration, persistence, or unrelated behavior.

Install only if you are comfortable granting the agent host access to your macOS Contacts. Use narrow searches, treat outputs as private, confirm exact contact identities before create/update/delete/list actions, avoid delete --force unless you are certain, and do not run the included live tests unless you are prepared for them to modify your real Contacts store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f'  save\n'
        f'end tell'
    )
    result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)
    if result.returncode != 0:
        print(f"Error removing from list: {result.stderr.strip() or result.stdout.strip()}")
        sys.exit(1)
Confidence
92% confidence
Finding
result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill fetches and can serialize a very broad set of contact fields, including notes, URLs, social profiles, birthdays, dates, thumbnails, and list membership, beyond the core create/update fields described in the manifest. Excessive data access increases privacy exposure and violates data minimization, making accidental over-disclosure more likely when contacts are searched or shown.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill extends its privilege boundary by executing osascript to manipulate Contacts.app, introducing a general-purpose automation capability not inherent to normal CNContactStore usage. This increases attack surface because interpolated inputs are executed by an external scripting engine and can interact with broader macOS automation permissions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough that an agent may select this skill for routine contact-related requests without clearly signaling that it will access or modify sensitive personal data in the macOS Contacts store. In practice, this increases the chance of overbroad tool use, including unintended reads, edits, deletions, or list changes based on ambiguous user prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description does not warn that it can read, create, update, delete, and reorganize sensitive personal contact information, which may include names, phone numbers, emails, addresses, and group memberships. Without clear disclosure and safety boundaries, users and downstream agents may invoke high-impact operations without appreciating the privacy and integrity risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill reads directly from the user's macOS Contacts store and can output highly sensitive personal data such as phone numbers, emails, addresses, birthdays, notes, and group membership. Without an explicit privacy warning, users or downstream agents may treat routine search/show operations as low risk and inadvertently expose personal or regulated contact information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Documenting `delete --force` without a strong warning normalizes irreversible destructive behavior against the user's address book. In an agentic setting, this increases the risk of accidental or unauthorized bulk or mistaken deletions, especially because contacts are personal data and recovery may be difficult or impossible depending on sync state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal