Is apple-notes safe?

https://clawhub.ai/steipete/apple-notes

85
SAFE

The apple-notes skill is a lightweight, markdown-only instruction file that wraps the memo CLI for Apple Notes management. It contains no executable code, no hidden instructions, and no data exfiltration mechanisms. The primary risk is the external dependency on the antoniorodr/memo Homebrew package, which is outside the skill author's control and provides full CRUD access to Apple Notes — a potential source of sensitive personal data.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM External dependency trust boundary -10

The skill instructs installation of antoniorodr/memo/memo via Homebrew tap. This external binary has full access to Apple Notes data and is not audited as part of this skill. A supply chain compromise of the memo package could lead to data exfiltration.

LOW Apple Notes as potential exfiltration staging -15

The skill enables reading and writing Apple Notes, which sync via iCloud. In combination with a malicious skill, Notes could be used as a covert data staging channel for exfiltration through iCloud sync.

LOW Destructive operations without confirmation -15

The skill exposes delete (-d) and move (-m) operations on Apple Notes. If the agent misinterprets user intent, notes could be permanently deleted or moved to wrong folders.

LOW External binary execution via shell -15

The skill instructs the agent to execute the memo CLI binary via shell commands. While no code is bundled in the skill itself, the agent will execute an external binary that is outside the skill's trust boundary.

INFO Runtime environment reads sensitive files -5

Filesystem monitoring detected reads of .env, .aws/credentials, .profile, and .bashrc during the audit. These are attributable to the OpenClaw agent runtime bootstrapping, not the skill itself.

INFO Automation permission request -10

The skill asks users to grant Automation access to Notes.app in System Settings. This is a legitimate macOS requirement for AppleScript-based tools but expands the agent's system permissions.