wiki
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install and execute code from unverified third-party sources to enable core functionality.
- Recommends running
uvx mcp-obsidian, which downloads and executes a package from a public registry. - Recommends running
npx @bitbonsai/mcpvault@latest, which downloads and executes code from a public package manager. - [COMMAND_EXECUTION]: The skill relies on complex shell operations that include disabling standard security protocols.
- Instructions recommend setting the environment variable
NODE_TLS_REJECT_UNAUTHORIZEDto0. This disables TLS certificate validation for the entire Node.js process, which can expose the system to man-in-the-middle attacks if non-local traffic is involved. - Provides
curlcommands that handle sensitive API tokens and vault data through the terminal. - [PROMPT_INJECTION]: The design of the ingestion pipeline presents a risk of indirect prompt injection.
- Ingestion points: The skill processes raw source documents stored in the
.raw/directory. - Boundary markers: There are no specified delimiters or system-level instructions to ignore malicious commands embedded within the source files.
- Capability inventory: The skill utilizes
Write,Edit, andBashtools, providing a significant capability surface if malicious instructions in ingested data are followed. - Sanitization: The skill does not describe any validation or sanitization process for external content before it is incorporated into the knowledge base.
Audit Metadata