supernote-upload
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes shell commands using the
supernoteCLI. It interpolates user-provided data, such as file paths and directory names, into these commands (e.g.,supernote upload [path]). If the agent does not properly escape shell metacharacters in these inputs, an attacker could potentially execute arbitrary commands via malicious filenames. - [EXTERNAL_DOWNLOADS] (SAFE): The skill includes instructions to install a package from a local path (
pip install ~/hn2supernote/supernote_uploader). This does not involve a remote network download from an untrusted source, though it establishes a dependency on code that is not contained within the skill itself. - [CREDENTIALS_UNSAFE] (SAFE): The skill manages authentication through the
supernote logincommand. No hardcoded API keys, tokens, or secrets were detected in the skill source code. The CLI tool's credential caching is a standard feature of the external utility.
Audit Metadata