apple-notes
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill specifies the installation of the
memoCLI tool from a third-party Homebrew tap (antoniorodr/memo/memo). This repository and its owner are not listed among trusted vendors or well-known services. - [COMMAND_EXECUTION]: The skill executes commands using the
memobinary to interact with the macOS environment, including operations to list, search, create, edit, and delete data. - [DATA_EXFILTRATION]: The skill accesses sensitive personal data stored within Apple Notes. While no explicit network exfiltration is identified, the skill possesses the capability to export note content to external formats like HTML or Markdown via the
-exflag. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted data from note contents.
- Ingestion points: Note content is ingested into the agent context through the
memo notesandmemo notes -scommands inSKILL.md. - Boundary markers: None; the skill does not use delimiters or instructions to prevent the agent from obeying commands embedded within notes.
- Capability inventory: The skill includes commands for system-level data modification (create, edit, delete) and export via the
memoCLI. - Sanitization: There is no evidence of sanitization or content filtering for the data retrieved from Apple Notes.
Audit Metadata