Back to skill

Security audit

Mac Reminders Agent

Security checks across malware telemetry and agentic risk

Overview

This skill transparently manages macOS Reminders, including edits and deletes, with no evidence of hidden data exfiltration or automatic persistence.

Install this only if you want an agent to read and manage your macOS Reminders. After granting macOS permission, confirm the exact reminder ID before edits, completions, or deletions, avoid logging reminder output to shared /tmp files, and only configure cron or LaunchAgent examples if you want scheduled background checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents edit, delete, complete, and iCloud-synced reminder operations without an explicit warning that these actions modify or remove real user data across all devices on the same Apple ID. In an agent-driven context, users may treat examples as low-risk test commands, but deletions or edits can immediately propagate to synced devices and cause unintended data loss or integrity issues.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The automation examples write reminder output to predictable local log files in /tmp without warning that reminder titles, notes, due dates, and other personal task data may be stored in plaintext. On shared or multi-user systems, or where log collection/backup tools are present, this can expose sensitive reminder contents beyond the Reminders app itself.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases for listing reminders are broad, natural conversational phrases that can easily match ordinary assistant interactions without a strong invocation boundary. In an agent environment, this can cause unintended access to private reminder contents, especially since listing reminders exposes task titles, due dates, list names, completion state, and IDs across personal data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The add-reminder examples rely on common conversational scheduling phrases, which risks the agent turning casual discussion into real state-changing actions without sufficiently explicit user consent. Because this skill writes to the user's local Reminders database, ambiguous activation can create unwanted reminders, clutter lists, or be abused through prompt-injection-like conversational framing to induce unauthorized actions.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Deletion is a destructive operation, yet the trigger examples are minimal and do not document safeguards such as listing matches, resolving ambiguity, or requiring confirmation before deletion. In context, this is more dangerous because reminder titles are often non-unique, and the skill supports deletion by internal ID obtained from list output, so a loose natural-language mapping could lead to irreversible removal of the wrong reminder.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cli.js:76