pnote
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the manual installation of the
pnotenpm package (npm install -g pnote). Additionally, the recommended installation method usesnpx skills add thevertexlab/pnote-skill, which points to a GitHub repository outside of the trusted list. This introduces risk from unverified third-party code. - COMMAND_EXECUTION (LOW): The skill uses
allowed-tools: Bash(pnote *)to restrict the agent's execution environment to the specificpnotebinary. This effectively limits the attack surface for command injection beyond the intended CLI functionality. - DATA_EXPOSURE (LOW): The skill facilitates the handling of sensitive data such as Personal Access Tokens (PATs) and PIN-protected notes. Users are instructed to authenticate manually via the CLI, but passing PINs via the
-pflag or environment variables could result in sensitive data appearing in process lists or shell history if not handled carefully by the user. - INDIRECT_PROMPT_INJECTION (LOW):
- Ingestion points: The skill retrieves content from external sources via
pnote notes getandpnote search, which pull user-controlled note content into the agent's context. - Boundary markers: Absent. There are no explicit delimiters or instructions to the agent to ignore potentially malicious instructions embedded within the retrieved notes.
- Capability inventory: The agent can list, search, read, and create notes/snippets using the
pnotetool. - Sanitization: None detected. Note content is ingested as raw text, which could influence subsequent agent behavior if notes contain adversarial prompts.
Audit Metadata