macOS Disk Cleaner

Security checks across malware telemetry and agentic risk

Overview

This macOS cleanup skill is mostly on-purpose, but it needs Review because it can permanently delete broad local paths and gives risky cleanup commands with inconsistent safeguards.

Install only if you are comfortable reviewing every cleanup target and command before anything is deleted. Prefer analysis-only use, avoid sudo and broad rm -rf commands, use Trash or backups for recoverability, and do not use the deletion helper on broad folders such as home, system directories, project roots, or anything containing credentials or important data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (12)

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The document says the user should execute cleanup commands and that the agent must not auto-execute deletions, but later sections instruct the agent to execute destructive actions itself. Contradictory safety guidance is dangerous because downstream agents may follow the destructive examples instead of the safer policy, leading to unintended data loss.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill frames Mole analysis as safe and read-only, but elsewhere includes deletion workflows and command sequences that operationalize cleanup. This inconsistency can cause an agent to over-trust the 'safe analysis' framing and then continue into destructive commands without an appropriate boundary.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The skill strongly argues that many caches are valuable and should usually be preserved, then later labels wholesale cache deletion as safe and recommends broad `rm -rf ~/Library/Caches/*` cleanup. That contradiction is dangerous because broad cache removal can disrupt applications, remove useful state, and cause major redownload/rebuild costs or app instability.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script expands a general macOS disk-cleanup skill into development-environment reconnaissance, including Docker, package-manager caches, and repository metadata. In skill context, that exceeds the stated purpose and increases exposure of sensitive local development information, making the capability more dangerous than a typical storage analyzer.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Scanning common source-code directories and enumerating .git metadata can reveal the existence, names, and scale of private projects unrelated to generic disk cleanup. Because this is an agent skill, the mismatch between declared purpose and repository inspection materially increases privacy and data-discovery risk.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata says it should focus on analysis and cleanup recommendations with user confirmation before deletions, but this code directly performs permanent file and directory deletion. That expands the skill from advisory behavior into destructive execution, increasing the risk of accidental or agent-driven data loss far beyond the declared scope.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: Batch mode allows a file to supply many deletion targets at once, enabling bulk destructive action inconsistent with the skill's recommendation-oriented purpose. In an agent setting, this significantly increases blast radius because a single indirect input source can trigger many permanent deletions after only coarse confirmation.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The script presents itself as 'safe' interactive deletion, but the implementation uses `unlink()` and `shutil.rmtree()` for permanent removal with no rollback, trash integration, path restrictions, or protection against deleting sensitive directories. This mismatch can mislead users and higher-level agents into trusting an operation that can irreversibly destroy data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script recommends deleting .git directories with rm -rf but does not clearly warn that this permanently destroys version history, branches, tags, and recovery options. In the context of a cleanup skill, users may over-trust the recommendation and irreversibly damage important projects.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ⚠️ This operation requires administrator privileges. Please run this command manually: sudo rm -rf /Library/Caches/* ⚠️ You will be asked for your password. ```
Confidence: 88% confidence
Finding: rm -rf /Library/Caches/* ⚠️ You will be asked for your password. ``` **Reason**: - Requires elevated privileges - User should be aware of system-wide impact - Audit trail (user types password) ###

Tool Parameter Abuse

High

Category: Tool Misuse
Content: osascript -e 'tell app "Finder" to move POSIX file "/path/to/file" to trash' # Permanent (use only when confirmed safe) rm -rf /path/to/file ``` ## Never Delete These
Confidence: 79% confidence
Finding: rm -rf /path/to/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ⚠️ This operation requires administrator privileges. Please run this command manually: sudo rm -rf /Library/Caches/* ⚠️ You will be asked for your password. ```
Confidence: 88% confidence
Finding: rm -rf /Library/Caches/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal