notes
Fail
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The script 'notes_cli.sh' is vulnerable to command injection. It takes user-provided variables '$TITLE' and '$CONTENT' and interpolates them directly into AppleScript strings executed via 'osascript' (lines 24 and 43). Because these variables are not sanitized or escaped, an attacker can provide values containing double quotes and AppleScript commands (e.g., using 'do shell script') to execute arbitrary code with the user's privileges.\n- [DATA_EXFILTRATION]: The 'list' action in 'notes_cli.sh' (lines 28-31) retrieves and outputs the names of all notes in the user's macOS Notes application. This provides a mechanism for an attacker to programmatically harvest titles of private documents, which may contain sensitive information.\n- [INDIRECT_PROMPT_INJECTION]: The skill presents a significant surface for indirect prompt injection attacks:\n
- Ingestion points: Untrusted data enters the context through the 'title' and 'content' parameters defined in 'SKILL.md'.\n
- Boundary markers: Absent. The skill does not use delimiters or instructions to prevent the agent from following commands embedded within the notes data.\n
- Capability inventory: The skill possesses powerful capabilities through 'osascript', which can manipulate system applications and execute shell commands.\n
- Sanitization: No sanitization or validation is performed on user inputs before they are passed to the shell and AppleScript environments.
Recommendations
- AI detected serious security threats
Audit Metadata