ClawHub

macOS Notes

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it lets an agent manage Apple Notes on macOS, with a disclosed local activity log that users should be aware of.

Install only if you are comfortable letting the agent access Apple Notes on your Mac when you ask it to. Avoid asking it to read or search notes containing secrets, specify the account and folder when location matters, and periodically review or delete logs/notes.log if note titles or search terms are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script persistently logs user note activity and metadata, including commands, account/folder targets, note titles, and search queries, to a local file outside Notes.app. This creates an additional data store containing potentially sensitive information that is not necessary for core note operations and may be accessible to other local users, backup systems, or monitoring tools.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language is broad enough to activate on common conversational phrases, increasing the chance the skill runs when the user did not intend Apple Notes access. In this context, that can cause unintended note creation, reading, or searching of personal data stored in Notes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that note actions and titles are logged, but it provides no explicit privacy warning or consent mechanism. Because note titles often contain sensitive personal or work information, silent logging can expose metadata even if note bodies are not stored.

Ssd 3

Medium
Confidence
91% confidence
Finding
An instruction to retain and log user note activity introduces a privacy and data-retention risk, especially in a notes skill where activity may reveal sensitive habits, projects, or personal topics. In this skill context, even metadata such as timestamps, commands, and titles can be highly sensitive.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal