We checked this and rejected itsecurity

TriliumNext Notes: why it is not safe to use

TriliumNext Notes passed review at 88/100; the one caution is that default write permissions let an agent permanently delete or alter your notes.

What we found

TriliumNext Notes passed our security and privacy review with a score of 88/100. It is open-source TypeScript, a straightforward wrapper around your own TriliumNext ETAPI endpoint. All traffic goes only to the URL you configure (default `http://localhost:8080/etapi`), with no third-party or telemetry calls. Authentication uses a `TRILIUM_API_TOKEN` supplied through an environment variable, and we found no hardcoded secrets, no obfuscated code, no arbitrary URL fetching, and no privilege escalation.

The one caution is around write access. Under the default `PERMISSIONS=READ;WRITE`, the server exposes `delete_note` (permanent removal) alongside update, move, and patch operations. This means a connected agent can irreversibly change or delete your notes, whether by mistake or by acting on instructions embedded in note content it reads back.

What to do instead

If you only need retrieval, set `PERMISSIONS=READ` to run it read-only and remove the destructive surface entirely. If you do need write access, scope the `TRILIUM_API_TOKEN` to the smallest set of notes required, keep backups, and review what an agent proposes before it acts. Treat note content as untrusted input, since a downstream agent could interpret it as instructions.

Want the same outcome, safely? Use our checked skill instead.

Source: https://github.com/tan-yong-sheng/triliumnext-mcp

We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.

Copied to clipboard. Paste it into your AI (ChatGPT, Claude, or your agent) to add the skill.