Trust Assessment
notesctl received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 8 findings: 2 critical, 5 high, 1 medium, and 0 low severity. Key findings include AppleScript Injection via unescaped folder name, Indirect AppleScript Injection via JSON payload, Potential Command Injection via unvalidated `memo` arguments (notes_export.sh).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | AppleScript Injection via unescaped folder name The `$FOLDER` variable, which is user-controlled, is directly interpolated into an `osascript` command without proper escaping for AppleScript string literals. This allows an attacker to inject arbitrary AppleScript commands by crafting a malicious `FOLDER` value (e.g., `Notes" & do shell script "rm -rf /" & "`), leading to arbitrary command execution on the user's macOS system. Escape the `$FOLDER` variable for AppleScript string literals before interpolating it into the `osascript` command. A Python snippet similar to how `TITLE_AS` and `BODY_AS` are handled should be used to escape backslashes and double quotes in `$FOLDER`. | LLM | scripts/notes_new.sh:37 | |
| CRITICAL | Indirect AppleScript Injection via JSON payload The `scripts/notes_post.sh` script reads a JSON payload from stdin, extracts the `folder` field, and passes it directly to `scripts/notes_new.sh`. Since `scripts/notes_new.sh` is vulnerable to AppleScript injection via the `$FOLDER` argument, this script provides a direct vector for exploiting that vulnerability by crafting a malicious `folder` value in the JSON input. Apply the remediation for AppleScript injection in `scripts/notes_new.sh`. Additionally, consider validating the `folder` field in the JSON payload within `scripts/notes_post.sh` to ensure it does not contain malicious characters before passing it to `notes_new.sh`. | LLM | scripts/notes_post.sh:40 | |
| HIGH | Potential Command Injection via unvalidated `memo` arguments (notes_export.sh) User-controlled variables (`$QUERY`, `$FOLDER`) are passed directly as arguments to the `memo` command. While the arguments are quoted, there's a risk if the `memo` utility itself is vulnerable to argument injection, or if it internally passes these arguments to another shell without proper escaping. This pattern, where external commands are invoked with unvalidated user input, presents a potential command injection vector. Implement stricter validation or sanitization of user-provided arguments before passing them to external commands. If `memo` is a trusted binary, ensure it's always up-to-date and from a reliable source. Consider using `exec` with an array for arguments if available in the shell context to prevent shell interpretation of arguments. | LLM | scripts/notes_export.sh:14 | |
| HIGH | Potential Command Injection via unvalidated `memo` arguments (notes_export.sh) User-controlled variable (`$FOLDER`) is passed directly as an argument to the `memo` command. While the argument is quoted, there's a risk if the `memo` utility itself is vulnerable to argument injection, or if it internally passes these arguments to another shell without proper escaping. This pattern, where external commands are invoked with unvalidated user input, presents a potential command injection vector. Implement stricter validation or sanitization of user-provided arguments before passing them to external commands. If `memo` is a trusted binary, ensure it's always up-to-date and from a reliable source. Consider using `exec` with an array for arguments if available in the shell context to prevent shell interpretation of arguments. | LLM | scripts/notes_export.sh:17 | |
| HIGH | Potential Command Injection via unvalidated `memo` arguments (notes_list.sh) User-controlled variable (`$FOLDER`) is passed directly as an argument to the `memo` command. While the argument is quoted, there's a risk if the `memo` utility itself is vulnerable to argument injection, or if it internally passes these arguments to another shell without proper escaping. This pattern, where external commands are invoked with unvalidated user input, presents a potential command injection vector. Implement stricter validation or sanitization of user-provided arguments before passing them to external commands. If `memo` is a trusted binary, ensure it's always up-to-date and from a reliable source. Consider using `exec` with an array for arguments if available in the shell context to prevent shell interpretation of arguments. | LLM | scripts/notes_list.sh:7 | |
| HIGH | Potential Command Injection via unvalidated `memo` arguments (notes_search.sh) User-controlled variables (`$QUERY`, `$FOLDER`) are passed directly as arguments to the `memo` command. While the arguments are quoted, there's a risk if the `memo` utility itself is vulnerable to argument injection, or if it internally passes these arguments to another shell without proper escaping. This pattern, where external commands are invoked with unvalidated user input, presents a potential command injection vector. Implement stricter validation or sanitization of user-provided arguments before passing them to external commands. If `memo` is a trusted binary, ensure it's always up-to-date and from a reliable source. Consider using `exec` with an array for arguments if available in the shell context to prevent shell interpretation of arguments. | LLM | scripts/notes_search.sh:11 | |
| HIGH | Potential Command Injection via unvalidated `memo` arguments (notes_search.sh) User-controlled variable (`$QUERY`) is passed directly as an argument to the `memo` command. While the argument is quoted, there's a risk if the `memo` utility itself is vulnerable to argument injection, or if it internally passes these arguments to another shell without proper escaping. This pattern, where external commands are invoked with unvalidated user input, presents a potential command injection vector. Implement stricter validation or sanitization of user-provided arguments before passing them to external commands. If `memo` is a trusted binary, ensure it's always up-to-date and from a reliable source. Consider using `exec` with an array for arguments if available in the shell context to prevent shell interpretation of arguments. | LLM | scripts/notes_search.sh:13 | |
| MEDIUM | Arbitrary directory creation and file export location The `OUTDIR` variable, which is user-controlled, is used to create a directory (`mkdir -p "$OUTDIR"`) and then `memo` is instructed to export notes into this directory. This allows an attacker to specify any writable location on the filesystem, potentially leading to the creation of directories and export of files into sensitive system locations (e.g., `/etc`, `/usr/local/bin`). While `mkdir -p` is generally safe, the subsequent export by `memo` could overwrite or create files in unexpected places, leading to denial of service or other system integrity issues if `memo` exports files with predictable or sensitive names. Restrict the `OUTDIR` to a safe, sandboxed location (e.g., a subdirectory within the skill's temporary directory or a user-specific data directory). If arbitrary locations are required, implement strict path validation to prevent path traversal (e.g., disallow `..` components) and ensure the target directory is within an allowed scope. | LLM | scripts/notes_export.sh:9 |
Scan History
Embed Code
[](https://skillshield.io/report/aadffed0e3f0b8cf)
Powered by SkillShield