Omnifocus4
Security checks across malware telemetry and agentic risk
Overview
This OmniFocus integration is mostly purpose-aligned, but it asks the agent to run unsandboxed local commands through a missing wrapper while having authority to read, change, and delete your tasks.
Install only if you trust the publisher and are comfortable granting local OmniFocus automation. Before use, verify what .claude/skills/omnifocus4/scripts/of actually points to, keep write approval in once or every mode, avoid yolo mode, and remember that task notes returned by the skill may appear in your agent conversation.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the command path or script is wrong, changed, or misused, the agent could run local automation with fewer containment protections.
The skill explicitly asks the agent to bypass the local Bash sandbox for each invocation. That may be needed for AppleScript automation, but it materially broadens local execution authority.
Pass `dangerouslyDisableSandbox: true` on every Bash call.
Only use this on a trusted Mac, verify the exact executable being run, and avoid disabling the sandbox unless there is no safer scoped alternative.
A mistaken or over-authorized command could alter, complete, move, or permanently delete OmniFocus items.
The documented command set includes destructive OmniFocus operations. This is purpose-aligned for a task-management integration, but users should know it can change or delete real tasks.
| `delete` | `<taskId>` | Permanently delete |
Keep write authorization in a cautious mode and review destructive commands, especially delete, before allowing them.
The skill may fail, or a different local file named scripts/of could become the command the agent runs, which is especially risky when sandboxing is disabled.
The instructions invoke a scripts/of executable, but the provided file manifest lists scripts/omnifocus.py and does not include scripts/of. The actual instructed entrypoint is therefore missing from the reviewed artifacts.
.claude/skills/omnifocus4/scripts/of <command> [args...]
The publisher should include the reviewed wrapper or update SKILL.md to call the reviewed Python file directly. Users should inspect the installed path before use.
It is harder to verify that the package identity and publisher identity are consistent.
The embedded _meta.json ownerId differs from the registry metadata owner ID shown for the package, creating a provenance inconsistency.
"ownerId": "kn7f68annfvbzmccfpr8mgmxtx7zxjtj"
Confirm the publisher and package provenance before installing; the registry metadata and packaged metadata should be reconciled.
Personal or work task details, including notes, can be shown to the agent and potentially included in chat history.
The skill reads OmniFocus task names and notes and returns them as JSON to the agent context. This is expected for the integration but may expose private task content in the conversation.
| `search` | `<query>` | Search tasks by name or note |
Avoid querying sensitive OmniFocus notes unless you are comfortable sharing that content with the agent session.
Approvals can persist across sessions, and yolo mode could allow future write commands without per-action prompts.
The code persists authorization preferences in the user's home directory and supports a mode that skips write authorization checks.
PREFS_DIR = pathlib.Path.home() / ".omnifocus4" ... _DEFAULT_PREFS = {"mode": "once", "approved": []} ... if mode == "yolo": returnUse the default or per-command authorization mode, periodically inspect ~/.omnifocus4/prefs.json, and avoid yolo mode unless you intentionally want no write prompts.