apple-notes
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on a local binary named
notes(located at/usr/local/bin/notes) to perform search, synchronization, and retrieval operations. This requires the binary to be pre-installed on the host system. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It retrieves and processes content from the user's Apple Notes database, which may contain untrusted data (such as web clippings or shared notes) that could influence the agent's behavior during the RAG (Retrieval-Augmented Generation) process.
- Ingestion points: User's Apple Notes database via
notes searchandnotes askcommands. - Boundary markers: None identified in the prompt templates to distinguish between note content and instructions.
- Capability inventory: Execution of the
notesCLI tool for searching, opening, and syncing data. - Sanitization: No explicit sanitization or filtering of note content is described before feeding it to the local LLM.
- [DATA_EXFILTRATION]: The skill processes highly sensitive personal data (private notes). Although it claims that 'nothing leaves the machine' and uses a local Ollama instance, the security of the data depends entirely on the integrity of the external
notesbinary which is not provided within the skill source.
Audit Metadata