Back to skill

Security audit

Mac Reminder Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it gives a local HTTP bridge the ability to read and change macOS Reminders with weak default access controls and fuzzy destructive actions.

Install only if you intentionally want an AI agent in Docker to manage your Mac Reminders. Before use, set BRIDGE_SECRET, keep port 5000 off public networks, narrow BRIDGE_ALLOWED_IPS to exact trusted clients, and require explicit confirmation before fuzzy delete, update, complete, or all-list operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes network and shell-capable behavior (`curl` to a host bridge and optional use of environment-sourced secrets) without declaring explicit permissions. That creates a transparency and policy-enforcement gap: users or orchestrators may approve the skill believing it is low-privilege when it can actually send reminder contents off-process to a listening service on the host. In this context, the bridge targets `host.docker.internal`, which increases sensitivity because it crosses the container boundary into the host environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to expose port 5000 and shows direct HTTP calls that can create reminders, but it does not clearly warn that any authorized or reachable client can write into the user's native macOS Reminders data, potentially syncing to iCloud. In the context of an AI agent bridge, this matters because remote/containerized agents may issue actions on the host user's behalf, increasing the chance of unintended or abusive modification of personal data.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough that ordinary reminder-related language may invoke the skill unintentionally, causing accidental creation, deletion, or modification of reminders. Because the skill performs state-changing actions against a host-side service, overbroad activation increases the chance of unintended operations and privacy leakage of reminder content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends reminder titles, notes, due dates, and possibly list names over an HTTP bridge to a host service, but the documentation does not warn users about that data flow. Reminder contents often contain sensitive personal or business information, so lack of disclosure can lead to uninformed use and exposure, especially if the bridge is not properly authenticated or is accessible beyond the local trust boundary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.