apple-notes

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt maps natural-language instructions to concrete CLI invocations that include API tokens and encryption keys (e.g., note sync config --api-token <TOKEN> and references to NOTE_SYNC_API_TOKEN and NOTE_ENCRYPTION_KEY), which can cause the LLM to ask for, accept, or emit secret values verbatim in generated commands or code, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). Outsider free text can enter the LLM context via the “no-arguments” runtime path: the skill scans the current conversation (which may include messages authored by other parties) to infer a note, then uses AskUserQuestion with the inferred title/body/folder derived from that outsider-authored chat text.