Apple Icloud Suite

Security checks across malware telemetry and agentic risk

Overview

This iCloud skill is partly legitimate, but it also enables continuous location/status tracking with broad account credentials and shared-calendar publishing.

Install only if you deliberately want broad iCloud access and the status-wall tracking behavior. Avoid pasting your primary Apple ID password into chat; prefer app-specific credentials where possible, keep the daemon off unless needed, confirm every tracked person consents, understand that precise location may be sent to AMap, and review or clear ~/.pyicloud/ and ~/.status_wall* files after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (37)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: member = cfg["member_name"] title = f"👤 {member}: {status_text}" r = subprocess.run( ['python3', cal_script, 'search', f'👤 {member}', '-c', target], capture_output=True, text=True )
Confidence: 80% confidence
Finding: r = subprocess.run( ['python3', cal_script, 'search', f'👤 {member}', '-c', target], capture_output=True, text=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ) # 写入新状态 r = subprocess.run( ['python3', cal_script, 'new', 'today', title, '-c', target], capture_output=True, text=True )
Confidence: 84% confidence
Finding: r = subprocess.run( ['python3', cal_script, 'new', 'today', title, '-c', target], capture_output=True, text=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 删除旧状态 if '找到 0 个' not in r.stdout and '没有找到' not in r.stdout: subprocess.run( ['python3', cal_script, 'delete', f'👤 {member}', '-c', target], capture_output=True, text=True )
Confidence: 80% confidence
Finding: subprocess.run( ['python3', cal_script, 'delete', f'👤 {member}', '-c', target], capture_output=True, text=True )

Tainted flow: 'output_path' from os.environ.get (line 144, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: output_path = os.path.join(output_dir, photo.filename) with open(output_path, 'wb') as f: f.write(download.raw.read()) file_size = os.path.getsize(output_path) / 1024 / 1024
Confidence: 91% confidence
Finding: with open(output_path, 'wb') as f:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill invokes shell commands, reads environment variables, accesses local session files, and uses networked Python libraries, but the manifest does not declare any permissions or capabilities. This creates a transparency and policy problem: a caller may authorize or invoke the skill without understanding that it can access credentials, local files, and remote iCloud data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose is ordinary iCloud operations, but the referenced behavior extends into notes access, continuous status monitoring, GPS/presence tracking, reverse geocoding, and automatic calendar updates based on inferred activity. That scope expansion is dangerous because it enables covert surveillance and data enrichment beyond what users would reasonably expect from a simple iCloud utility skill.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The README documents a persistent background daemon that performs family/presence tracking and status inference, which materially expands the skill beyond ordinary on-demand iCloud operations. Persistent monitoring of device location creates a surveillance capability that can be misused for stalking, covert monitoring, or collection of sensitive behavioral patterns, especially because it is framed as routine household collaboration.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The README adds AMap reverse geocoding, which sends precise location data to an external service unrelated to the core Apple iCloud functions described in the manifest. This increases data exposure by enriching raw coordinates into human-readable locations and introduces third-party sharing of sensitive location information without clear necessity or disclosure.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Commute inference and household presence monitoring derive sensitive behavioral intelligence from location data, such as home/work locations and movement routines, which exceeds the stated purpose of basic iCloud management. In the context of an agent skill with Find My access, this substantially increases the danger because it enables continuous pattern-of-life surveillance rather than discrete user-requested operations.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The skill advertises calendar, photos, Drive, device finding, and reminders, but also exposes a dedicated Apple Notes script without declaring that capability. Undisclosed access to notes increases the risk of sensitive personal information being accessed under a broader, less specific trust boundary.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The boundary notes admit the skill has some Apple Notes reading capability even though Notes is not part of the declared scope. Hidden or under-declared data-domain access is risky because users may expose highly sensitive note content without realizing the skill can touch it.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The documented 'status wall' daemon materially expands the skill from user-invoked iCloud operations into continuous background GPS surveillance, commute inference, and external geocoding. That is dangerous because it enables persistent monitoring of a user's whereabouts and routines without being necessary for the stated skill purpose, increasing privacy and abuse risk.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The instructions tell the agent to collect the user's Apple ID primary password and an external AMap API key at enablement, which is far beyond what is justified for normal iCloud calendar operations. Collecting a primary account password creates severe account-compromise risk, and bundling multiple secrets for one-time intake normalizes unsafe credential harvesting behavior.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill description is for Apple iCloud services, but this section extends behavior into AMap geocoding, location semantics, and commute-status inference. This scope creep is dangerous because users may consent to calendar/device operations without realizing they are enabling broader location analytics and third-party data sharing.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The document first states calendar access should use an app-specific password, but later activation instructions ask for the Apple ID primary password. This inconsistency is dangerous because it can mislead users into disclosing stronger credentials than necessary, increasing the blast radius from calendar-only access to full account exposure.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The documentation explicitly includes bulk download and continuous synchronization commands for iCloud photos, which goes beyond a narrow 'view/manage photos' use case and materially increases the amount of user data that can be replicated locally over time. In a skill that can access personal iCloud content, normalizing unattended syncing expands privacy and data-exfiltration risk if copied into an agent workflow without strong consent and scoping controls.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The script adds iCloud Notes access, but the declared skill scope only covers calendar, photos, iCloud Drive, device finding, and reminders. In an agent environment, scope expansion into notes is dangerous because notes commonly contain highly sensitive personal and business data, and users may not expect this skill to access them.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The drive-structure function enumerates top-level iCloud Drive folders and some sub-items even though the script is presented as a notes-access tool. This broad discovery capability increases unnecessary data exposure by revealing unrelated user files, folder names, and storage structure that may contain sensitive information.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script implements a background surveillance-style daemon that continuously infers a family member's status from private calendars and device location, then publishes that presence into a shared calendar. This exceeds the declared skill scope of user-requested iCloud operations and creates persistent monitoring without a clear per-use consent flow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The daemon loop repeatedly reads private calendar state and live GPS data to infer work/home/commute status, then publishes those inferences externally. This is dangerous because it enables covert behavioral monitoring, routine profiling, and real-time whereabouts disclosure over long periods.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code sends precise device coordinates to a third-party geolocation provider to derive semantic place names, expanding sensitive data exposure beyond Apple/iCloud. This is unjustified by the manifest and increases privacy risk because a third party can learn exact locations and movement context.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises device location access and calendar create/delete operations without clearly warning users that these actions expose sensitive personal data and can modify or destroy calendar records. Lack of disclosure increases the chance of unintended privacy harm or destructive actions, particularly when the skill handles high-value personal account access.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The background daemon is described as polling GPS/location data continuously, yet the README provides no prominent privacy disclosure, consent model, or explanation of storage and sharing. Continuous polling is especially dangerous because it turns occasional device lookup into ongoing surveillance, amplifying the sensitivity of the collected data and the harm from misuse.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrases are broad, everyday scheduling and file/photo requests that overlap heavily with common assistant interactions. This can cause unintended invocation of a high-privilege skill that touches calendars, photos, files, and device location, increasing the chance of accidental data exposure or unintended account actions.

Natural-Language Policy Violations

Medium

Confidence: 76% confidence
Finding: The authentication example unconditionally sets a China-mainland-specific environment/configuration path and states it is required for mainland users, but it does not show any explicit user confirmation or region detection safeguards. Region-specific routing can alter where credentials and traffic are sent, so forcing it without consent can create privacy, compliance, and reliability risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal