apple-notes
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the installation of the
memoCLI tool from a third-party Homebrew tap (antoniorodr/memo). This repository is not from a trusted organization or well-known service.\n- [COMMAND_EXECUTION]: The skill executes multiple shell commands using thememobinary to list, search, add, and delete notes within the macOS environment. This involves direct interaction with the system's underlying Notes.app via a CLI interface.\n- [PROMPT_INJECTION]: This skill is vulnerable to indirect prompt injection because it reads content from local Apple Notes. If a note contains malicious instructions (e.g., from a shared note or external sync), the agent may inadvertently follow them while processing the note's text.\n - Ingestion points: Reading note titles and body content via
memo notes, including search results.\n - Boundary markers: There are no defined delimiters or instructions to treat note content as untrusted data.\n
- Capability inventory: The skill can execute local commands and perform write/delete operations on the notes database.\n
- Sanitization: The skill does not implement any visible sanitization or filtering of the text retrieved from notes before it enters the agent's context.
Audit Metadata