apple-notes
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install an external CLI tool,
memo, from a third-party Homebrew repository (antoniorodr/memo/memo). While necessary for the skill's functionality, this introduces a dependency on external code from a source outside of well-known organizations. - [COMMAND_EXECUTION]: The skill functions by executing shell commands through the
memoutility to interact with the macOS Notes application, which is the primary mechanism for its operations. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it reads and processes user-controlled data from Apple Notes. Malicious content within a note could potentially influence the agent's behavior during viewing or searching operations.
- Ingestion points: Reading, searching, and exporting notes via
memo notes(SKILL.md). - Boundary markers: No specific delimiters or instructions are provided to the agent to treat note content as untrusted data.
- Capability inventory: The
memotool can create, move, delete, and export notes, providing several vectors for automated actions (SKILL.md). - Sanitization: There is no evidence of content sanitization or validation before the agent processes the retrieved note text.
Audit Metadata