x-writing
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The bash script
scripts/fetch-notes.shperforms unsafe string interpolation into AppleScript commands executed viaosascript -e. Specifically, variables$ARG,$NOTE_NAME, and$COUNTare directly embedded into the AppleScript source. An attacker can use double quotes to break out of the AppleScript string and use thedo shell scriptcommand to execute arbitrary shell commands with the user's permissions. - [REMOTE_CODE_EXECUTION] (HIGH): The AppleScript injection vulnerability allows for arbitrary code execution on the host machine. If an agent is tricked into calling this script with a malicious argument (e.g., via a malicious configuration in
settings.jsonor by searching for a specially crafted string), it leads to full system compromise. - [DATA_EXFILTRATION] (MEDIUM): The skill is designed to read private data from the macOS Notes app. While this is the intended functionality, the lack of input validation and the possibility of command injection create a high risk of unauthorized data access and exfiltration.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external sources (Notes app and local markdown files) and processes it with high-capability tools (the LLM and shell scripts).
- Ingestion points:
scripts/fetch-notes.sh(reading from macOS Notes),X_SOURCE_FILE(reading from local markdown files). - Boundary markers: None present. The skill does not use delimiters or instructions to ignore embedded commands in the source data.
- Capability inventory: Subprocess execution (via
fetch-notes.sh), file system write access (saving drafts toX_DRAFTS_FILE). - Sanitization: None. The content of the notes is stripped of HTML tags but otherwise passed directly to the model and scripts.
Recommendations
- AI detected serious security threats
Audit Metadata