pnote

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt instructs authentication with an inline personal access token (pnote auth token <your-pat>) and runs arbitrary pnote $ARGUMENTS, which encourages passing secrets as command-line arguments that an agent might need to include verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill wraps the pnote CLI which fetches and displays user-generated notes/snippets from the PromptNote cloud (e.g., https://app.promptnoteapp.com/) as shown in SKILL.md and README commands like pnote notes get and pnote notes snippet, so untrusted third-party content could be read and influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The pnote CLI includes a runtime command (pnote skills pull) that downloads remote "skill" notes from the PromptNote service (e.g., https://app.promptnoteapp.com/) into ~/.claude/skills/, and those fetched files become agent skills that directly control prompts/instructions at runtime.