x-to-obsidian
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install an external, untrusted package ('agent-browser') globally from NPM. The installation process includes an additional command 'agent-browser install' which may download further unverified binaries or scripts.
- [COMMAND_EXECUTION]: The skill relies on executing shell commands using the 'agent-browser' CLI to perform sensitive operations such as opening URLs, capturing page snapshots, and executing arbitrary JavaScript within a browser context.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it retrieves and processes untrusted content from X/Twitter posts.
- Ingestion points: Untrusted data is ingested via 'agent-browser snapshot' in 'SKILL.md'.
- Boundary markers: There are no markers or instructions to isolate external content from the agent's logic, allowing potentially malicious text in a post to influence agent behavior.
- Capability inventory: The skill has the capability to write markdown files to the user's local filesystem (Obsidian vault) and evaluate code in the browser.
- Sanitization: There is no evidence of sanitization or validation of the extracted content before it is processed or stored.
Audit Metadata