Apple Notes (AppleScript)
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its Apple Notes purpose, but it needs review because it can overwrite/delete notes, has unsafe AppleScript argument interpolation, and copies note attachments into /tmp.
Only install this if you are comfortable granting the agent access to your Apple Notes. Prefer exact note IDs and folder-scoped commands, avoid delete/edit unless you have reviewed the target and have backups, and clear /tmp/notes-export if attachments are extracted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted limit value could change the AppleScript that runs, potentially escaping the intended Notes-only workflow and executing other AppleScript actions under the user's account.
A command argument is assigned to LIMIT and later inserted directly into the generated osascript program outside a quoted or validated AppleScript literal.
else LIMIT="$arg"; fi ;; ... set maxCount to $LIMIT as integer
Validate numeric arguments before use, pass values to osascript as arguments instead of string-building code, and quote/escape all AppleScript literals consistently.
The agent could delete the wrong note if a partial title matches unexpectedly, especially in a large Notes collection.
The delete command performs a destructive action on the first partial name match, with no built-in confirmation or dry-run step.
# Delete a note by name (partial match) ... if name of n contains searchTerm then ... delete n
Require exact note IDs or exact title matches for destructive actions, show the matched note first, and require explicit user confirmation before deleting or overwriting content.
Sensitive attachments such as receipts, medical documents, or scans may remain as copied files in /tmp after a read operation.
Reading a note can copy attachment PDFs/images from the local Notes account storage into /tmp/notes-export, leaving sensitive retrieved content outside Notes.
ACCOUNTS_DIR="$HOME/Library/Group Containers/group.com.apple.notes/Accounts/" ... OUTPUT_DIR="/tmp/notes-export/" ... cp "$found_file" "$output_path"
Make attachment extraction explicit and opt-in, document the output location, use a user-chosen directory with restrictive permissions, and provide cleanup guidance.
Granting this skill Notes automation access lets it read or search broadly across the user's Notes data, not just one folder.
When no folder is specified, the helper builds an AppleScript scope covering every note available to the current Notes app account.
if [ -z "$folder" ]; then FOLDER_SCRIPT="set noteList to every note"
Use folder-scoped commands where possible and only grant macOS Notes automation access if broad Notes access is acceptable.