obsidian-canvas
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill ingests untrusted external data (user-defined text, labels, and file paths) and interpolates them into a JSON payload which is then processed by a local library (
scripts/canvas_lib.py). - Ingestion points: User-provided text for nodes, group labels, and edge labels in
SKILL.mdandreferences/library_spec.md. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands within the input data are defined in the instructions.
- Capability inventory: The skill executes
python3 /path/to/skills/obsidian-canvas/scripts/canvas_lib.pyvia a shell pipe (cat <<EOF | python3 ...). It has the capability to write files (.canvasoutput) to the filesystem. - Sanitization: There is no evidence of sanitization or escaping logic mentioned for the markdown content before it is piped to the Python interpreter. An attacker could potentially embed instructions in a node's text that attempt to influence the agent's next steps when it reads or verifies the created canvas.
- [Command Execution] (LOW): The skill requires executing a local Python script using shell pipes. While the path is specified as internal to the skill, this is a standard execution pattern for this type of tool.
Audit Metadata