Is lucaperret/macos-notes safe?

https://github.com/openclaw/skills/tree/main/skills/lucaperret/macos-notes

83
SAFE

The lucaperret/macos-notes skill is a well-constructed, legitimate macOS Notes management tool with no malicious indicators in its prompt instructions, no built-in exfiltration code, no install hooks, and a clean network footprint during installation. The primary risks are operational rather than adversarial: the skill's AppleScript access to Notes.app grants the agent read access to the user's entire notes database, and the persistent action log captures note titles and search queries to disk. Canary files were accessed only by the audit framework and all remain intact.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

MEDIUM Persistent log captures sensitive note titles and search queries -15

The log_action() function appends timestamp, command, account/folder, and note title (or search query) to $SKILL_DIR/logs/notes.log on every invocation. If a user dictates a note containing credentials or asks to search for 'passwords', those strings persist on disk in a predictable location accessible to any process running as the same user.

MEDIUM AppleScript grants full read access to all Notes accounts and folders -15

The skill intentionally accesses all Notes accounts and folders via AppleScript. list-folders, list-notes (limit 1-200), and search-notes can enumerate the user's entire notes database by title. read-note returns full plaintext of any non-password-protected note. This is by design but constitutes a high-value data surface if the agent is manipulated.

LOW Raw HTML field accepted without tag sanitization -8

The html parameter to create-note accepts arbitrary HTML, strips newlines, and passes it directly into the Notes.app body via osascript. The Python validator does not sanitize HTML tags. While contained within Notes.app's renderer, this could be used to inject misleading visual content (fake login prompts, social engineering) into the user's notes.

LOW Example prompt normalizes routing secrets through skill -12

The SKILL.md includes 'Note down the API key format: prefix_xxxx' as a usage example, which trains the agent to consider this skill appropriate for handling API keys and credentials. This is a soft behavioral nudge rather than an explicit injection attempt.

LOW Skill becomes notes exfiltration primitive if agent is compromised -25

In combination with any network-capable skill (curl, fetch, HTTP request), an attacker controlling the agent's instruction stream could chain search-notes to enumerate titles, read-note to retrieve content, and a network skill to exfiltrate. The skill itself has no exfiltration code but is a high-value component in a multi-skill attack chain.

INFO GitHub and Ubuntu Canonical connections during install 0

Network traffic during install was limited to github.com (git clone) and Ubuntu Canonical servers (apt/motd update checks). All connections are attributable to the install process and system background tasks. No suspicious destinations.

INFO Canary file accesses attributable to audit framework only 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at pre-install (1771902504) and post-install (1771902526) timestamps. Both access sets align with audit framework baseline and post-install verification operations, not with skill execution. Skill is passive and not auto-executed on install.