ClawHub

Apple Notes Extractor

Security checks across malware telemetry and agentic risk

Overview

This is a real Apple Notes exporter, but it needs review because it can copy private notes broadly, install unpinned third-party code, and encourages automation or external sharing without enough safeguards.

Install only if you intentionally want broad Apple Notes extraction. Prefer the simple local method, review output locations before running, avoid full extraction unless you trust and pin the external Ruby parser, keep monitoring and webhooks disabled unless explicitly needed, and do not connect exports to AI, Git, Notion, search, or backup systems without filtering, encryption, and access-control review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (36)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--export-json", str(output_file)
            ]
            
            result = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
90% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=self.config["methods"]["full"]["timeout"],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # Clone the repository
            subprocess.run([
                "git", "clone",
                "https://github.com/threeplanetssoftware/apple_cloud_notes_parser.git"
            ], cwd=str(tools_dir), check=True)
Confidence
97% confidence
Finding
subprocess.run([ "git", "clone", "https://github.com/threeplanetssoftware/apple_cloud_notes_parser.git" ], cwd=str(tools_dir), check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Install Ruby dependencies
            parser_dir = tools_dir / "apple_cloud_notes_parser"
            subprocess.run([
                "bundle", "install"
            ], cwd=str(parser_dir), check=True)
Confidence
98% confidence
Finding
subprocess.run([ "bundle", "install" ], cwd=str(parser_dir), check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and invokes Python scripts plus osascript-based access to Apple Notes, with outputs to user-specified paths and integrations that can write files and potentially contact external systems, yet it declares no explicit permissions. This creates a transparency and consent gap: a user or orchestrator may authorize the skill without understanding that it can read sensitive notes, execute shell-adjacent operations, and write extracted content to disk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The integration guide includes multiple examples that transmit Apple Notes content to external systems such as Elasticsearch, OpenAI, Notion, git remotes, and backup servers. For a skill whose stated purpose is Apple Notes extraction and monitoring, bundling broad publication and exfiltration patterns materially expands the data-flow surface and can normalize unsafe handling of sensitive note contents.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The REST API and webhook examples expose note extraction as a remotely triggerable action, which increases attack surface beyond the core extraction use case. If deployed as shown, an attacker who can reach the service may trigger repeated extraction jobs or abuse the endpoint in combination with other weaknesses, potentially leading to data exposure or denial of service.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The checklist asserts the system is 'properly secured' and uses 'local processing,' yet it also documents GPT-based summarization, which can involve sending note content to an external service. This is a security-relevant contradiction because it may mislead users into believing sensitive Apple Notes never leave the local environment when they may in fact be transmitted off-device.

Description-Behavior Mismatch

Low
Confidence
79% confidence
Finding
The documented workflow expands from note extraction into social-media insight generation, research processing, search indexing, and memory integration, which broadens the scope of data use beyond what the skill description implies. This increases the chance that sensitive personal notes are repurposed in downstream systems without clear user understanding or consent.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The guide makes broad privacy assurances that 'all processing happens locally' and 'no data is sent to external services,' yet elsewhere instructs users to fetch and install tooling from the network. Even if note contents are not uploaded by the skill itself, this wording can mislead users into underestimating network exposure and supply-chain risk during setup.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's stated purpose is note extraction/export, but it also downloads and prepares third-party tooling from the internet at runtime. That hidden expansion of capability materially increases risk because users may not expect network retrieval and execution of external code in a local notes-export utility.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill executes `git clone` and `bundle install`, which are high-risk system/package-management actions beyond narrow data extraction. In context, these operations are especially dangerous because they occur in a tool that accesses private Notes content, magnifying the consequences of a compromised dependency chain.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The monitor can send note-monitoring metadata to an arbitrary `webhook_url`, creating an outbound exfiltration channel. Even though the payload is limited to message text, level, and timestamp, those messages include note titles and change activity, which are sensitive for a Notes-monitoring skill and broader than local-only monitoring expectations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Allowing arbitrary outbound webhook destinations is not necessary for core Apple Notes monitoring and materially increases data-leak risk. In this skill context, note titles and change notifications can reveal private personal or business information, making the unjustified network capability more dangerous.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The CLI promises that dry-run makes no changes, but object initialization can still create and write a default config file. This violates operator expectations and can unexpectedly persist files to disk, which matters in automation, read-only environments, or privacy-sensitive workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This document presents Apple Notes extraction and monitoring as 'ready for production use' and integrated into automated workflows, but it does not prominently warn that private note contents will be accessed on an ongoing basis. For a skill centered on extracting personal notes, normalizing continuous collection without explicit consent and disclosure creates a real privacy risk and can lead users to enable surveillance-like behavior unintentionally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cron examples schedule recurring background extraction and monitoring of Apple Notes, including daily and every-30-minute runs, without an adjacent consent, privacy, or data-handling warning. Because Apple Notes commonly contains sensitive personal, financial, health, and credential-adjacent information, documenting unattended collection materially increases the chance of overcollection and unnoticed exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The statement that the system 'will automatically begin daily extractions and monitoring' is especially concerning because it implies autonomous collection of note data without a strong warning about privacy consequences or confirmation gating. In the context of a skill designed to harvest and process Apple Notes into other workflows, this messaging lowers user caution and can cause sensitive note content to be propagated into logs, exports, memory systems, or other tools.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The AI processing example sends note body content to an external AI service without any warning that private note data is leaving the local environment. Apple Notes commonly contain sensitive personal, financial, or credential-related content, so silent transmission to a third party creates a meaningful confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The backup example commits extracted notes into git and pushes them to a remote repository, then copies them to a remote server, without warning about privacy, repository access control, or accidental publication. This can easily result in long-lived disclosure of highly sensitive note content and metadata.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Notion migration example uploads note titles, folder names, dates, and body content to a third-party SaaS without informing users of the disclosure. Because Notes data is often sensitive, presenting this as a simple migration pattern without warning can mislead users into exporting confidential information unsafely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document describes automated extraction, indexing, backups, monitoring, and AI processing of Apple Notes content without a prominent warning about privacy, retention, third-party sharing, or the sensitivity of note data. Because Apple Notes often contain highly personal or credential-like information, omission of these warnings can cause unsafe deployment and unintentional exposure through automation and backups.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes bulk extraction and real-time monitoring of Apple Notes, which commonly contain highly sensitive personal or business information, but it does not prominently warn users about the sensitivity of that data or the risks of exporting and storing extracted content locally. In a skill designed for workflow integration and automated processing, this omission can lead users to enable broad note access and persistent storage without understanding the privacy and security consequences.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is broadly framed as extracting and monitoring Apple Notes for workflow integration, without clear trigger boundaries, user-scoping limits, or confirmation requirements. In context, this is risky because Apple Notes commonly contains highly sensitive personal and business information, so vague invocation language can lead to overbroad activation and unintended collection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation promotes bulk extraction and real-time monitoring of Apple Notes but does not prominently warn that notes may contain passwords, financial records, health details, legal content, or other sensitive personal data. Because the skill is specifically designed to access a private note repository, the missing warning materially increases the chance of unsafe use, oversharing, and accidental exfiltration through downstream exports or integrations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The usage guide promotes bulk extraction, monitoring, and export of Apple Notes without clearly foregrounding that full note bodies, metadata, and potentially attachments will be written to local output directories and may be propagated into downstream tools or synced locations. In the context of personal notes, this creates a meaningful privacy and data-handling risk because users may unknowingly duplicate sensitive content outside the Notes app's original protections.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal