Mac Notes Agent
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says—manage Apple Notes locally—but it can read, change, and delete notes, so users should supervise destructive actions.
Install only if you want the agent to manage your local Apple Notes. Specify folders when possible, avoid broad searches over sensitive notes, and require the agent to confirm before updating or deleting any note.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong note title, folder, or id, the agent could overwrite or delete a note.
The CLI invokes AppleScript through osascript and includes note deletion logic. This is expected for an Apple Notes integration, but it gives the agent local tool authority to mutate or delete notes.
execFileSync('osascript', ['-e', script] ...); ... delete nUse this skill for explicit note-management tasks, and require confirmation before update, append, or delete operations.
The agent can access whichever Apple Notes account is the macOS default, including folders the user may not intend to expose if no folder is specified.
The skill acts using the user's configured Apple Notes account authority. This is purpose-aligned, but users should understand it is not a separate sandboxed account.
All operations target the **default Notes account**. Optionally you can specify which folder to use.
Specify folders when possible and avoid enabling the skill for tasks where the agent should not access personal Notes content.
Private Apple Notes content may be returned to the agent during get or search operations.
Reading and searching note bodies can bring persistent private note content into the agent's context. This is expected for the skill, but it is sensitive data access.
Searches note titles and bodies for the keyword.
Do not ask the agent to search broad or sensitive Notes content unless you are comfortable exposing matching note text to the session.
The skill may be installable or invocable in environments where it cannot work, and platform requirements may not be enforced automatically.
The registry metadata does not declare prerequisites, while the provided documentation states the skill requires macOS, Node.js, and osascript. This is an under-declared compatibility/provenance issue rather than evidence of malicious behavior.
Required binaries (all must exist): none ... OS restriction: none
Use only on macOS with Node.js and osascript available; maintainers should declare these requirements in metadata.