Skills
skills/openclaw/skills/apple-notes/Gen Agent Trust Hub

apple-notes

Warn

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The scripts/setup.sh script and SKILL.md instructions suggest downloading code from untrusted external sources. Specifically, it recommends cloning https://github.com/threeplanetssoftware/apple_cloud_notes_parser.git for full extraction capabilities, which is not an organization on the trusted sources list.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): The skill setup process involves installing Ruby gems (gem install bundler) and Python packages (pip3 install -r requirements.txt). When combined with the recommendation to clone and run the apple_cloud_notes_parser script, this creates a high risk of executing unvetted code on the host system.
  • [COMMAND_EXECUTION] (MEDIUM): The scripts/setup.sh file performs several system-level actions including modifying file permissions (chmod +x) and executing AppleScript via osascript. The documentation further instructs users to grant 'Full Disk Access' and 'Automation' permissions, which provides the skill with extensive control over the local macOS environment.
  • [DATA_EXPOSURE] (LOW): While the skill claims to process data locally, it targets highly sensitive information (Apple Notes) which may contain passwords or private keys. The system requires access to the internal Notes database and local file system.
  • [PERSISTENCE_MECHANISMS] (MEDIUM): The AUTOMATION_INTEGRATION.md file provides pre-configured crontab entries for the user to implement. While intended for automation, this provides a blueprint for maintaining persistence and recurring execution of the skill's scripts.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted user data (notes content). It lacks explicit boundary markers or sanitization logic when exporting this content to other formats like Markdown or JSON, which could potentially trigger downstream issues in other AI workflows.
  • [METADATA_POISONING] (MEDIUM): Several files (AUTOMATION_INTEGRATION.md, INTEGRATION_CHECKLIST.md) contain highly assertive, self-referential claims of safety and 'Production Ready' status (e.g., '100% health', '92.3% success rate'). Per security analysis protocols, these are treated as deceptive patterns intended to discourage scrutiny.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 19, 2026, 11:23 PM