Skills
skills/jeremylongshore/claude-code-plugins-plus/evernote-hello-world/Gen Agent Trust Hub

evernote-hello-world

Pass

Audited by Gen Agent Trust Hub on Apr 4, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill uses the official 'evernote' SDK for Node.js and Python, which are standard libraries for a well-known service.- [SAFE]: Sensitive API tokens are managed securely via environment variables (EVERNOTE_ACCESS_TOKEN and os.environ['EVERNOTE_ACCESS_TOKEN']) rather than hardcoded credentials.- [SAFE]: Educational content is provided regarding ENML security restrictions, explicitly identifying forbidden tags such as <script> and <iframe> to prevent malicious note content.- [PROMPT_INJECTION]: The skill facilitates reading note content from the Evernote API, which represents a potential surface for indirect prompt injection if the content is processed by the agent without further sanitization.
  • Ingestion points: noteStore.getNote() in SKILL.md and references/implementation-guide.md.
  • Boundary markers: Not present in the provided code snippets.
  • Capability inventory: The skill uses Read, Write, and Edit tools as defined in the SKILL.md frontmatter.
  • Sanitization: No explicit sanitization or validation of the retrieved note content is demonstrated in the examples.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 4, 2026, 04:45 PM