note-taker
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Utilizes standard Git commands (
git fetch,git pull,git push,git stash) to synchronize the notes repository with a remote host. This is the primary mechanism for the skill's advertised functionality. - [COMMAND_EXECUTION]: Executes a local bash script (
scripts/redact_check.sh) to perform pre-commit scanning for potential secrets such as AWS keys, private keys, and API tokens. - [DATA_EXFILTRATION]: Automatically pushes note content, summaries, and attachments to a remote repository. While this involves transferring data externally, it is the primary intended function of the skill and is protected by a best-effort automated redaction process.
- [PROMPT_INJECTION]: The skill ingests untrusted user input from various sources (chat, voice transcripts, file attachments) and uses it to generate notes and task lists. This presents a surface for indirect prompt injection.
- Ingestion points: User messages, voice transcriptions, and file contents processed in
SKILL.md(Step 1). - Boundary markers: The note template in
assets/note-template.mddoes not use explicit delimiters or "ignore embedded instructions" warnings to isolate user-provided content. - Capability inventory: Includes file system modification, shell command execution (Git and grep-based scripts), and network operations via Git protocol.
- Sanitization: The skill implements credential redaction via
scripts/redact_check.shbut does not perform specific sanitization to prevent LLM instruction injection from processed data.
Audit Metadata