ClawHub

macOS Contacts

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can modify, delete, merge, back up, and restore your macOS Contacts beyond its narrow read/search/create summary.

Install only if you intentionally want an agent to manage macOS Contacts with destructive maintenance authority. Before using it, review exact contact identifiers and fields, avoid broad dedupe or merge requests, treat restore as a high-risk operation that can overwrite your current address book, and remember that backups contain a full copy of private contact data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (31)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and documents shell, file read/write, environment, and likely broader execution capabilities without declaring permissions or constraining them in the manifest. This creates a transparency and governance gap: consumers may invoke a skill that can access local Contacts data and mutate local state without an explicit permission boundary, increasing the risk of unintended data exposure or modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest frames the skill as read/search/verify/create, but the documentation also includes backup, restore, update, delete, dedupe, merge, and transactional rollback workflows. That mismatch is dangerous because operators may trust the narrow description while the skill actually supports destructive and state-altering operations over a sensitive personal datastore.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README advertises update, delete, merge, dedupe, and rollback capabilities that exceed the stated skill scope of read/search/create. This kind of scope mismatch is dangerous because operators or downstream agents may invoke unsupported destructive functionality based on documentation, leading to unintended contact modification or deletion and weakening trust boundaries around the skill.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The README states the write path is Swift plus Contacts.framework, while the skill metadata says writes are done via AppleScript. Conflicting implementation claims are security-relevant because they obscure the real trust model, permission model, and code paths that will execute during mutations, making review and safe use harder and increasing the chance of unauthorized or unreviewed write behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The README claims production-grade update, delete, deduplication, merge, backup, and restore capabilities that exceed the stated skill scope of read/search/create. This capability expansion is dangerous because users or downstream agents may rely on the documentation and invoke destructive operations that were not justified, reviewed, or expected for this skill.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The documentation says the primary write path uses Swift with Contacts.framework, while the skill metadata says writes use AppleScript as the supported path. This inconsistency can mislead operators and reviewers about what code path actually performs sensitive contact modifications, undermining trust, review coverage, and enforcement of platform safeguards.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Backup, restore, transaction wrapper, and rollback tooling materially broaden access to the user's contacts data beyond simple read/search/create. Restore and transaction helpers can be abused to overwrite or revert user data at scale, increasing the blast radius of mistakes or malicious use in a skill that was presented as narrower in scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Delete and merge/deduplication operations are destructive and go beyond the declared purpose of inspecting, searching, verifying, and safely creating contacts. In the macOS Contacts context, these actions can permanently alter or remove personal address book data, making scope drift especially dangerous.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documentation materially expands the write scope beyond 'safely create contacts' to include update, delete, dedupe, merge, backup, and restore. In a contacts-management context, this is especially sensitive because these actions can alter or destroy a user's authoritative address book, including transactional restore of entire databases.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script copies the full macOS Contacts SQLite database and associated WAL/SHM files into a skill-controlled state directory, creating a duplicate store of sensitive personal data outside the user-facing Contacts app. That exceeds the stated read/search/create purpose and increases confidentiality risk because the backup can persist longer, be accessed by other tooling, and expand the blast radius if the skill state directory is exposed.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script implements persistent backup and retention by creating timestamped copies and appending a manifest entry, enabling accumulation of historical snapshots of the user's contacts database. This is dangerous because it silently increases long-term storage of sensitive contact data beyond operational need, making later unauthorized access or unintended reuse more damaging.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script performs destructive deletion of contacts via `contacts_txn.sh ... delete`, which exceeds the stated skill scope of read, search, and safely create contacts. A hidden or undocumented delete path is dangerous because an agent or caller could invoke it to remove user data without clear authorization or expectation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This file implements bulk destructive deduplication by iterating over provided identifiers and deleting each duplicate, despite the skill description only justifying inspection, search, existence checks, and contact creation. That mismatch increases the risk of unintended or unauthorized data loss because consumers of the skill would not reasonably expect deletion behavior to exist.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata says it should read, search, verify, and safely create contacts, but this code also updates an existing contact and deletes other contacts during duplicate merging. That is a capability expansion into destructive modification that can cause irreversible data loss and violates the declared scope, making misuse or accidental invocation materially dangerous.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The loop deletes every contact passed via --drop after updating the kept record, with no recycle bin, backup, or recovery path. Because contacts are sensitive personal data, erroneous duplicate detection or misuse of identifiers can permanently remove legitimate records.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script can overwrite the live macOS Contacts database from an arbitrary backup directory, which exceeds the stated skill scope of reading, searching, and safely creating contacts. This enables wholesale replacement of a user's address book, causing integrity loss and potential unauthorized data rollback or injection of attacker-controlled contact data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script directly replaces Address Book SQLite database files on disk, including WAL/SHM files, bypassing supported application-layer safeguards. Filesystem-level replacement is dangerous because it can corrupt the Contacts store, evade normal validation, and introduce or destroy data in a way inconsistent with the skill's narrow contact search/create purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises read/search/verify/create behavior, but the code also exposes update and delete operations on the user's native macOS contacts. This is a scope expansion from the declared capability and creates a confused-deputy risk: an orchestrator or user may grant contacts access expecting limited writes, while the tool can silently modify or remove data.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The duplicates command performs bulk enumeration and grouping of the entire contacts database, which is broader than the described manifest behavior. While not destructive, this increases data exposure and enables large-scale profiling of a sensitive personal dataset beyond the expected search/verify/create scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script creates a full Contacts backup before running a command and may restore the entire database on failure, which is broader than the skill's stated scope of searching for and safely creating contacts. Full backup/restore exposes all contact data to additional handling and allows destructive state changes beyond the minimum necessary operation, increasing privacy and integrity risk if the wrapper is misused or the backup artifacts are exposed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The wrapper executes whatever command and arguments are supplied via "$@", making it a generic command execution primitive rather than a Contacts-specific helper. Even though quoting avoids some shell injection, the capability itself is overbroad: any caller that can invoke this script can run arbitrary programs under the skill's privileges, potentially accessing unrelated files, exfiltrating data, or making system changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples show create, update, delete, and merge commands that directly modify the system contacts database, but they do not prominently warn about irreversibility, sync propagation, or possible data loss. In a production macOS contacts skill, insufficient safety messaging increases the chance of accidental destructive use by users or autonomous agents.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This code performs a state-changing write to the user's Contacts database by creating a new contact and saving it, but there is no application-layer confirmation, dry-run mode, or second-step acknowledgement in this file. In an agent context, that increases the risk of unintended or user-unapproved data modification if the tool is invoked on ambiguous or adversarial instructions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script enumerates contacts and returns names, phone numbers, and email addresses from the native Contacts database, which is sensitive personal data. In an agent skill, exposing this data without an in-tool privacy notice, narrowing, or consent guard can enable over-collection or disclosure beyond what the user intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script copies private Contacts database files without any user-facing disclosure, confirmation, or indication that a full local backup is being created. In the context of a skill advertised for reading, searching, and safely creating contacts, silent duplication of the entire database is particularly risky because users would not reasonably expect archival of all contact records.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal