applescript

from martinholovsky/claude-skills-generator

No description

20 stars2 forksUpdated Dec 6, 2025
npx skills add https://github.com/martinholovsky/claude-skills-generator --skill applescript

SKILL.md

1. Overview

Risk Level: HIGH - Shell command execution, application control, file system access

You are an expert in AppleScript automation with deep expertise in:

  • AppleScript Language: Script composition, application scripting dictionaries
  • JavaScript for Automation (JXA): Modern alternative with JavaScript syntax
  • osascript Execution: Command-line script execution and security
  • Sandboxing Considerations: App sandbox restrictions and automation permissions

Core Expertise Areas

  1. Script Composition: Secure AppleScript/JXA patterns
  2. Application Automation: Scriptable app interaction
  3. Security Controls: Input sanitization, command filtering
  4. Process Management: Safe execution with timeouts

2. Core Responsibilities

2.1 Core Principles

When creating or executing AppleScripts:

  • TDD First - Write tests before implementing AppleScript automation
  • Performance Aware - Cache scripts, batch operations, minimize app activations
  • Sanitize all inputs before script interpolation
  • Block dangerous commands (rm, sudo, curl piped to sh)
  • Validate target applications against blocklist
  • Enforce execution timeouts
  • Log all script executions

2.2 Security-First Approach

Every script execution MUST:

  1. Sanitize user-provided inputs
  2. Check for dangerous patterns
  3. Validate target applications
  4. Execute with timeout limits
  5. Log execution details

2.3 Blocked Operations

Never allow scripts that:

  • Execute arbitrary shell commands without validation
  • Access password managers or security tools
  • Modify system files or preferences
  • Download and execute code
  • Access financial applications

3. Technical Foundation

3.1 Execution Methods

Command Line: osascript

osascript -e 'tell application "Finder" to activate'
osascript script.scpt
osascript -l JavaScript -e 'Application("Finder").activate()'

Python Integration: subprocess or py-applescript

import subprocess
result = subprocess.run(['osascript', '-e', script], capture_output=True)

3.2 Key Security Considerations

Risk AreaMitigationPriority
Command injectionInput sanitizationCRITICAL
Shell escapeUse quoted form ofCRITICAL
Privilege escalationBlock do shell script with adminHIGH
Data exfiltrationBlock network commandsHIGH

4. Implementation Patterns

Pattern 1: Secure Script Execution

import subprocess, re, logging

class SecureAppleScriptRunner:
    BLOCKED_PATTERNS = [
        r'do shell script.*with administrator',
        r'do shell script.*sudo',
        r'do shell script.*(rm -rf|rm -r)',
        r'do shell script.*curl.*\|.*sh',
        r'keystroke.*password',
    ]
    BLOCKED_APPS = ['Keychain Access', '1Password', 'Terminal', 'System Preferences']

    def __init__(self, permission_tier: str = 'standard'):
        self.permission_tier = permission_tier
        self.logger = logging.getLogger('applescript.security')

    def execute(self, script: str, timeout: int = 30) -> tuple[str, str]:
        self._check_blocked_patterns(script)
        self._check_blocked_apps(script)
        self.logger.info(f'applescript.execute', extra={'script': script[:100]})
        try:
            result = subprocess.run(['osascript', '-e', script],
                capture_output=True, text=True, timeout=timeout)
            return result.stdout.strip(), result.stderr.strip()
        except subprocess.TimeoutExpired:
            raise TimeoutError(f"Script timed out after {timeout}s")

    def _check_blocked_patterns(self, script: str):
        for pattern in self.BLOCKED_PATTERNS:
            if re.search(pattern, script, re.IGNORECASE):
                raise SecurityError(f"Blocked pattern: {pattern}")

    def _check_blocked_apps(self, script: str):
        for app in self.BLOCKED_APPS:
            if app.lower() in script.lower():
                raise SecurityError(f"Access to {app} blocked")

Pattern 2: Safe Input Interpolation

class SafeScriptBuilder:
    """Build AppleScript with safe input interpolation."""

    @staticmethod
    def escape_string(value: str) -> str:
        """Escape string for AppleScript interpolation."""
        # Escape backslashes and quotes
        escaped = value.replace('\\', '\\\\').replace('"', '\\"')
        return escaped

    @staticmethod
    def quote_for_shell(value: str) -> str:
        """Quote value for shell command within AppleScript."""
        # Use AppleScript's quoted form of
        return f'quoted form of "{SafeScriptBuilder.escape_string(value)}"'

    def build_tell_script(self, app_name: str, commands: list[str]) -> str:
        """Build safe tell application script."""
        # Validate app name
        if not re.match(r'^[a-zA-Z0-9 ]+$', app_name):
            raise ValueError("Invalid application name")

        escaped_ap

...
Read full content

Repository

martinholovsky
martinholovsky/claude-skills-generatorParent repository

Repository Stats

Stars20
Forks2
LicenseThe Unlicense