Skills
NYC
skills/spillwavesolutions/automating-mac-apps-plugin/automating-notes/Gen Agent Trust Hub

automating-notes

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION] (LOW): Indirect prompt injection surface identified in Category 8. The skill handles untrusted data (note titles, bodies, and search terms) provided by the user or read from external sources, which could influence the agent's behavior if it interprets malicious instructions embedded in note content.
  • Ingestion points: scripts/create_note.py and scripts/search_notes.py accept external input via command-line arguments.
  • Boundary markers: Absent in scripts; the documentation in SKILL.md provides manual guidance to sanitize input, but no technical enforcement is present.
  • Capability inventory: The skill has the ability to execute commands via osascript and automate application state via PyXA/JXA.
  • Sanitization: Absent in the provided scripts; the skill relies on the LLM to follow the instruction to 'Always sanitize HTML input'.
  • [COMMAND_EXECUTION] (SAFE): The scripts scripts/set_up_notes_automation.py and scripts/set_up_notes_automation.sh utilize osascript to trigger macOS Automation permission prompts. This is a legitimate and necessary pattern for macOS-specific application automation and is restricted to read-only discovery of account/folder names in the setup phase.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:21 PM