Is cryptol0rd/apple-notes-updater safe?

https://github.com/openclaw/skills/tree/main/skills/cryptol0rd/apple-notes-updater

79
CAUTION

The apple-notes-updater skill has a legitimate stated purpose and its SKILL.md contains no prompt injection, exfiltration logic, or adversarial instructions. However, the included shell script (update_note.sh) contains a critical shell/AppleScript injection vulnerability: the $NOTE_TITLE argument is interpolated unsanitized into an osascript heredoc, allowing a crafted note title to inject arbitrary AppleScript and escalate to full shell command execution via 'do shell script'. The skill should not be installed in its current form without patching this input sanitization flaw.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

HIGH AppleScript Injection via Unsanitized $NOTE_TITLE in osascript Heredoc -45

update_note.sh constructs an osascript heredoc by interpolating $NOTE_TITLE directly into an AppleScript string literal with no escaping or validation. A note title containing a double-quote character terminates the AppleScript string, allowing arbitrary AppleScript to be injected. Because osascript exposes the 'do shell script' command, this path escalates to arbitrary shell command execution under the agent's user account. Any agent task that passes user-supplied or LLM-generated content as the note title is exploitable.

MEDIUM osascript Grants Unrestricted macOS Automation Access -15

The skill invokes osascript with no application sandboxing or entitlement restrictions. Depending on what permissions the agent process holds (Accessibility, Full Disk Access, Automation), osascript can automate any installed macOS application — not just Notes. This makes the skill's effective privilege footprint significantly larger than its stated scope. Combined with the injection vulnerability, the blast radius extends to any application the agent is authorized to control.

LOW Temporary File Not Cleaned on osascript Failure -10

The script creates a temp file via mktemp, writes $NEW_BODY to it, then deletes it with 'rm $TMP_FILE' after the osascript heredoc. If osascript exits non-zero or the script is interrupted (SIGINT, SIGKILL), the rm never runs, leaving the note body content in /tmp until the next reboot or manual cleanup. If the note body contains sensitive data (e.g., an agent was asked to write PII, credentials, or private communications into a note), that content persists on disk unprotected.

LOW osascript Can Access Data from Other Authorized macOS Applications -8

While the skill's stated purpose is limited to Notes.app, osascript is a general-purpose macOS automation interface. If the agent that loads this skill has been granted Automation permissions for other applications (Calendar, Mail, Contacts, Safari, Keychain), a prompt-injected or maliciously crafted invocation could leverage those permissions to exfiltrate data without any additional capability grants.

INFO Expected GitHub Connection for Sparse Monorepo Clone 0

The install process performed a shallow sparse-checkout clone of github.com/openclaw/skills.git (140.82.121.3:443), extracted only the skills/cryptol0rd/apple-notes-updater subtree, copied it to the skill directory, and removed the clone. All network activity is attributable to this expected operation and to Ubuntu system MOTD processes. No connections to attacker-controlled infrastructure were observed.