macos-notes
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on
osascriptto execute AppleScript code that controls the macOS Notes application. This includes commands for creating, updating, moving, and deleting notes, which are executed in the host system's context. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection. It ingests untrusted data from the user's Apple Notes via scripts like
get.applescriptandsearch.applescript. Because the skill also has destructive capabilities (e.g.,delete.applescript), an attacker could place malicious instructions inside a note that an agent might inadvertently follow. - [DATA_EXFILTRATION]: The skill provides broad access to sensitive user data stored in Apple Notes. While it lacks explicit network exfiltration logic, it can read all note content and save attachments to arbitrary local file paths using
scripts/attachment/save.applescript, which could be used to move sensitive data to less secure locations.
Audit Metadata