ClawHub
Back to skill

Security audit

Pub Applenotes

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as Apple Notes, but its files mainly document a broad remote SkillBoss API gateway with AI, search, email, and SMS capabilities.

Install only if you intentionally want a broad SkillBoss remote AI/API gateway, not just Apple Notes support. Use a restricted API key if available, avoid sending private notes or files unless you accept third-party processing, and require explicit approval before any email, SMS, OTP, batch messaging, or document/audio/image upload action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (38)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill is presented as an Apple Notes manager, but the content exposes a broad remote capability broker for chat, image, video, search, email, SMS, and document processing. This mismatch materially increases the chance that an agent invokes the skill in inappropriate contexts and sends sensitive user data to third-party services unrelated to the declared purpose.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest claims local Apple Notes management via the memo CLI, but the implementation documentation instead describes a remote API client. This deceptive or inaccurate representation can cause operators or agents to trust the skill as local-only while it actually transmits prompts, documents, phone numbers, email content, and other data externally.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The heading and manifest identify an Apple Notes skill, but the body documents a different product entirely. This inconsistency weakens user and agent understanding of what will run, undermines consent, and can lead to unsafe invocation of external capabilities under a misleading label.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file materially expands the skill from Apple Notes management into a broad gateway for external LLM, search, and dynamic HuggingFace model access. This capability mismatch increases attack surface, can mislead users and downstream agents about what the skill is allowed to do, and may enable unintended data flow from notes into third-party services.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Providing general-purpose access to many external chat and search providers inside a notes-management skill is dangerous because notes often contain sensitive personal or business data, and an agent may route that data to third parties under the guise of normal skill use. The inclusion of broad external model access, including dynamic provider/model selection, makes exfiltration and policy bypass more likely in this context than in a dedicated AI-inference skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file documents broad web search, scraping, and CEO interview capabilities that substantially exceed the skill's Apple Notes-focused purpose. This capability mismatch increases the risk of undisclosed data collection, off-purpose external access, and user deception about what the skill can do.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Web scraping and external search features are context-inappropriate for an Apple Notes management skill and can enable silent retrieval of third-party content unrelated to note management. In this context, the mismatch makes the capability more dangerous because users are less likely to expect outbound data access, scraping of external sites, or handling of sensitive third-party information.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Email and SMS sending capabilities are materially broader than what is needed for Apple Notes management, creating an unnecessary communications surface that could be abused for spam, phishing, data exfiltration, or unauthorized notifications if exposed through the agent. In the context of a notes-management skill, these features are context-inappropriate and increase risk because users may not expect or scrutinize outbound messaging behavior.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Embeddings and AI presentation generation are not inherently malicious, but they expand data processing beyond the stated Apple Notes purpose and may enable unintended secondary use of note content, including transformation, export, or transmission to external services. This is more dangerous in a personal-notes context because notes often contain sensitive personal or business information that users may not expect to be embedded or repurposed into presentations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description combines Apple Notes management with dozens of unrelated AI and communications capabilities, without clear invocation boundaries. Overly broad descriptions increase prompt-routing ambiguity and the likelihood that sensitive tasks are delegated to this skill outside the user's expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation repeatedly instructs sending content to an external API and downstream model providers, but does not warn that user prompts, documents, audio, phone numbers, or email content may leave the local environment. In this context, omission of disclosure and consent guidance is dangerous because the skill is mislabeled as a local Apple Notes tool, making external transmission less expected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples include side-effecting behavior such as saving files locally and, elsewhere in the skill, sending email and SMS, but do not warn about those effects or require confirmation. Silent side effects are especially risky in an agent setting because they can create persistent artifacts or trigger external communications without informed approval.

External Transmission

Medium
Category
Data Exfiltration
Content
## List Models

```bash
curl -s https://api.heybossai.com/v1/models \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY"
```
Confidence
87% confidence
Finding
curl -s https://api.heybossai.com/v1/models \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" ``` Filter by type: ```bash curl -s "https://api.heybossai.com/v1/models?types=image" \ -H "Authorizat

External Transmission

Medium
Category
Data Exfiltration
Content
## Image Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "mm/img", "inputs": {"prompt": "A

External Transmission

Medium
Category
Data Exfiltration
Content
## Video Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "mm/t2v", "inputs": {"prompt": "A

External Transmission

Medium
Category
Data Exfiltration
Content
## Text-to-Speech

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Speech-to-Text

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
93% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "openai/whisper-1", "inputs": {"au

External Transmission

Medium
Category
Data Exfiltration
Content
## Background Removal

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
86% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "replicate/remove-bg", "inputs": {

External Transmission

Medium
Category
Data Exfiltration
Content
## Web Search

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
91% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "email/send", "inputs": {"to": "us

External Transmission

Medium
Category
Data Exfiltration
Content
One API key, 50+ models across providers (Bedrock, OpenAI, Vertex, ElevenLabs, Replicate, Minimax, and more). Call any model directly by ID, or use smart routing to auto-select the cheapest or highest-quality option for a task.

**Base URL:** `https://api.heybossai.com/v1`
**Auth:** `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`

## List Models
Confidence
85% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## List Models

```bash
curl -s https://api.heybossai.com/v1/models \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY"
```
Confidence
87% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Chat

```bash
curl -s -X POST https://api.heybossai.com/v1/chat/completions \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Image Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Save to file:

```bash
URL=$(curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "mm/img", "inputs": {"prompt": "A sunset over mountains"}}' \
Confidence
88% confidence
Finding
https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal