The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to AppleScript injection because the search_term parameter is directly interpolated into an AppleScript string literal. An attacker could provide a search term containing a double quote to terminate the string and append malicious AppleScript commands, such as do shell script, which allows for arbitrary system command execution.
[DATA_EXFILTRATION]: The skill accesses the local Apple Notes database, which frequently contains sensitive information like credentials, private keys, or personal data. The skill is designed to return the full content of these notes to the agent, creating a high risk of sensitive data exposure or exfiltration if the agent is compromised or tricked.
[PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting untrusted content from Apple Notes and passing it to the agent's context. A note containing malicious instructions could hijack the agent's logic. Ingestion points: Apple Notes body content via SKILL.md. Boundary markers: None present; content is returned as raw text. Capability inventory: AppleScript execution and shell command execution via do shell script. Sanitization: No sanitization, escaping, or validation is performed on the retrieved note content.

retrieve-and-analyze-notes