note-taker
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes python3 -c one-liners to update the ~/.claude/preferences.json file. This process involves direct string interpolation of keys and values into a script executed via the shell, which can be exploited for command injection if inputs contain shell-metacharacters or unmatched quotes.
- [COMMAND_EXECUTION]: The skill uses mkdir -p to create directory structures based on user-provided or discovered paths.
- [DATA_EXFILTRATION]: The skill reads and modifies ~/.claude/preferences.json. Accessing hidden configuration files within the home directory is a sensitive operation that exposes application state.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it reads and interprets external Markdown templates and user-generated note files to determine how to 'context-aware' append content. * Ingestion points: Markdown files in the templates directory and the active note file. * Boundary markers: None specified to differentiate content from instructions. * Capability inventory: File read (Read tool), file write (Edit tool), directory creation (mkdir), and command execution (python3 -c). * Sanitization: No validation or escaping of template content or user-provided paths is implemented.
Audit Metadata