apple-notes
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'memo' CLI tool via a third-party Homebrew tap ('antoniorodr/memo'). This repository is not associated with a known trusted organization, introducing a supply chain risk from an unverified source.- [COMMAND_EXECUTION]: The skill relies on executing the 'memo' binary on the host system to interact with the Notes.app database, which involves performing shell-level operations to list, search, and modify user data.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves content from Apple Notes, which is untrusted external data. If a note contains malicious instructions, the agent may interpret them as valid commands.
- Ingestion points: Note content and titles are retrieved via 'memo notes' and 'memo notes -s' (SKILL.md).
- Boundary markers: There are no delimiters or instructions provided to isolate note content from the agent's task context.
- Capability inventory: The skill can create, edit, and delete notes; the agent may have access to other powerful tools depending on the environment.
- Sanitization: No sanitization, filtering, or validation of the retrieved note content is implemented.
Audit Metadata