session-handoff
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the user to manually configure a shell script hook (
~/.claude/hooks/session-start.sh) and grant it execution permissions (chmod +x). This script is configured to run automatically at the start of every session, representing a persistence mechanism and a vector for arbitrary command execution. - [EXTERNAL_DOWNLOADS]: The documentation references an external, unverified third-party repository (
github.com/Dhravya/apple-notes-mcp) as a prerequisite for the skill's functionality. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its core memory-retrieval mechanism.
- Ingestion points: The
SessionStarthook reads content from external Apple Notes (Private and Shared) and injects it directly into the agent's context at the beginning of every session. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions to prevent the agent from obeying malicious commands that might be embedded within the retrieved notes.
- Capability inventory: The agent has the capability to read, write, and move notes via the Apple Notes MCP, as well as execute local shell commands through the hook system.
- Sanitization: There is no evidence of sanitization or validation performed on the note content before it is interpolated into the session context.
Audit Metadata