ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apple Notes (AppleScript)

v1.1.0

Apple Notes.app integration for macOS. List folders, read, create, search, edit, and delete notes via AppleScript.

0· 1k·3 current·3 all-time
by@shad0wca7·fork of @steipete/apple-notes (1.0.0)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Apple Notes integration) match the included scripts and behavior. The scripts use osascript to list, read, create, edit, search and delete notes and to extract attachments from the Notes group container; all of these are legitimate needs for the stated purpose.
Instruction Scope
SKILL.md instructs running the included scripts and documents their behavior. The scripts read and write only local Notes.app data and temp files (/tmp, ~/Library/Group Containers/group.com.apple.notes/...), which is necessary for attachment extraction and note manipulation. They do not transmit data to remote endpoints. Note: some Spotlight (mdfind) usage and file-copy operations operate on local disk and may require macOS automation or Filesystem permissions; the scripts will access sensitive user note content and attachments (expected for this skill).
Install Mechanism
No install spec — instruction-only with included shell scripts. Nothing is downloaded or extracted from external URLs, so there's no install-time code-fetch risk.
Credentials
The skill requires no environment variables, credentials, or external tokens. It does access local Notes data and account directories in ~/Library/Group Containers which is proportional to attachment extraction and note access.
Persistence & Privilege
always:false and normal model invocation settings. The skill does not request persistent system-wide changes or modify other skills' configurations.
Assessment
This skill will read, create, edit and delete notes and can extract attachments from your local Notes database (it looks under ~/Library/Group Containers/group.com.apple.notes/). That behavior is expected for a Notes integration, but these are sensitive actions: - Expect macOS automation/Notes permission prompts when running these scripts. Granting those permissions gives the scripts access to your Notes data. - Deleting notes requires explicitly passing a folder (the script enforces this), but review delete usage carefully and consider backing up important notes first. - Attachment extraction copies files into /tmp/notes-export/ — verify and remove exported files when finished. - The scripts are local shell code; if you want extra safety, review or run them in a sandboxed account, or inspect/modify them before use. Minor implementation notes (non-malicious): some filename handling uses unquoted expansions (e.g., listing preview files) which could break on unusual filenames; this is an implementation robustness issue, not evidence of exfiltration. If you need higher assurance, review the scripts line-by-line or run them in a non-production environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976m6ff29vbszea7vye3jav3180w6gp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
OSmacOS

Comments