Apple Notes Hardened
PassAudited by ClawScan on May 3, 2026.
Overview
This skill is coherent and purpose-aligned for managing Apple Notes, but it can read and change personal notes and requires trusting a third-party CLI with Notes access.
Install this only if you trust the `memo` CLI and are comfortable granting Apple Notes access. Use explicit note names, review outputs before acting, confirm destructive changes one note at a time, and do not let retrieved note text instruct the agent to perform unrelated actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to read and modify notes through the `memo` tool once macOS permissions are granted.
Granting Automation access lets the CLI interact with Apple Notes, which is expected for this skill but gives access to personal note data.
macOS-only; if prompted, grant Automation access to Notes.app.
Only grant Notes Automation permission if you are comfortable with this access, and revoke it in macOS Privacy & Security settings if you stop using the skill.
A mistaken or overbroad command could edit, move, export, or delete the wrong note.
The skill intentionally exposes commands that can modify or delete user data. This is purpose-aligned, and the instructions describe interactive selection/confirmation for destructive actions.
Create, view, edit, delete, search, move notes between folders, and export to HTML/Markdown.
Confirm the exact note name and action before allowing edits, moves, exports, or deletions, especially for deletion.
Security depends partly on the external `memo` project and Homebrew tap, which were not included for review here.
The skill depends on an external Homebrew formula for the `memo` binary. This is expected for a CLI wrapper skill, but the binary source is outside the provided artifacts.
brew | formula: antoniorodr/memo/memo | creates binaries: memo
Review and trust the linked `memo` project before installing, and keep the CLI updated from its official source.
Text inside a note could try to manipulate the agent if the agent treats note content as instructions instead of data.
The safety document acknowledges that note bodies can contain instructions the agent might over-trust. This is a known risk for tools that retrieve user-authored or copied text into agent context.
Indirect Prompt Injection Defense | Agent followed injected instructions from note bodies,...
Treat note contents as untrusted data, do not follow instructions found inside retrieved notes, and avoid broad note dumps unless necessary.