macos-notes
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (SAFE): The skill reads untrusted content from the macOS Notes database which could contain malicious instructions meant to influence the agent. * Ingestion points: Data entering the agent via 'read-note', 'list-notes', and 'search-notes' commands in SKILL.md. * Boundary markers: No explicit delimiters or instructions for the agent to ignore embedded content are specified. * Capability inventory: The skill can execute local shell scripts, AppleScript (osascript), and file logging. * Sanitization: The documentation notes that input fields are validated, but no mention of sanitizing content retrieved from Notes.app.
- [Command Execution] (SAFE): The skill utilizes osascript and a local shell script for automation. This behavior is transparently documented as necessary for interacting with the macOS Notes app.
- [Data Exposure] (SAFE): Accesses user-stored notes which may contain sensitive data. The skill mitigates leakage risks by ensuring data is passed via stdin rather than CLI arguments and by explicitly skipping encrypted or password-protected notes.
Audit Metadata