Apple Notes (AppleScript)

Security checks across malware telemetry and agentic risk

Overview

This Apple Notes skill is purpose-aligned, but it needs review because it can copy note attachments to disk and can edit or delete notes with weak safeguards.

Install only if you are comfortable giving an agent broad access to Apple Notes, including note contents, attachments, OCR search results, and edit/delete authority. Prefer exact note IDs and narrow folders, review edit/delete requests carefully, avoid untrusted search text, and clean /tmp/notes-export after any read or export involving attachments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script directly enumerates Apple Notes on-disk storage under the user's Group Containers directory and derives account-specific attachment paths, which exceeds the documented AppleScript-only note operations in the skill metadata. This creates an undocumented data-access path that can export files outside the expected Notes automation interface, increasing privacy and trust risks for users invoking the skill.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This script does more than read note content: it enumerates Apple Notes backing-storage paths and prepares to export attachment artifacts from the local Notes container. In a skill advertised as reading notes, silently expanding access to local attachment files increases data exposure and can surprise users, especially because attachments may contain sensitive documents outside the visible note text.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script copies extracted attachment files into /tmp/notes-export during a read operation, which creates a second unprotected copy of potentially sensitive data. Temporary directories are a poor default for confidential documents because data may persist longer than expected and be accessible to other local processes or users depending on system configuration.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Instead of relying solely on the Notes AppleScript interface, the script directly inspects Apple Notes' Group Containers storage to locate account UUIDs and attachment-related directories. Direct filesystem access broadens the privilege and data-access surface, bypasses the expectation of app-level mediation, and makes the skill more capable of harvesting local note artifacts than its description suggests.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This skill operates on obviously sensitive personal data, including medical, receipts, property, and other intimate notes, yet the documentation presents read/search/edit/delete workflows without clear privacy and sensitivity warnings. In an agent setting, that omission can normalize broad searches and retrieval of confidential material, increasing the chance of over-collection or accidental disclosure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script creates an output directory and later copies extracted attachments there without an explicit warning, consent step, or strong safeguard around data export. Because note attachments may contain sensitive scanned documents or images, silent export to a filesystem location can cause unintended disclosure, especially if the default path is predictable or accessible to other local processes/users.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script probes the user's Notes account storage and enumerates attachment-related metadata from local application data without any explicit privacy disclosure. In the context of a skill advertised for note operations via AppleScript, this hidden inspection of backing storage is more dangerous because users may not expect direct access to locally stored account artifacts and attachments.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The name-based path edits the first note whose name contains the provided search term, which can modify the wrong note when multiple notes have similar titles. In a note-management skill, this makes unintended destructive changes more likely because the matching is ambiguous and there is no confirmation, exact-match requirement, or disambiguation step before overwriting content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill reads note contents and also sets up access to local attachment storage without prominently warning the user that data may be accessed from private application directories and later copied out. For a notes integration, that hidden expansion of behavior increases privacy risk because users may reasonably expect a simple in-app read, not filesystem-level access.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Copying note attachments to /tmp/notes-export without confirmation or a strong disclosure is a privacy and data-handling issue because it creates residual local copies outside Apple Notes. In the context of a note-reading skill, this is more dangerous because users would not normally infer that reading a note also exports associated files to disk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script enables Spotlight/OCR-backed search across Apple Notes content, including note bodies and scanned document text, and only prints a performance/folder warning rather than a clear privacy notice or consent prompt. In a notes integration, this can expose sensitive personal or business information to users or downstream agents who may not realize the search reaches beyond titles into full content and OCR-indexed material.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal