The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions require the agent to execute grep commands using concept names extracted directly from user-controlled wiki pages. Since these concept names (extracted from [[wikilinks]]) are not sanitized, an attacker could include shell metacharacters in a page name or link (e.g., $(touch EXPLOITED)) to execute arbitrary commands when the agent attempts to build the co-occurrence map.\n- [CREDENTIALS_UNSAFE]: The skill explicitly directs the agent to read .env files to determine the vault path. Accessing .env files is a high-risk activity as they are standard locations for storing sensitive information such as API keys, database credentials, and other secrets, which are then exposed to the agent's context.\n- [PROMPT_INJECTION]: The skill performs an indirect prompt injection by ingesting and processing large amounts of untrusted content from the user's wiki vault to generate new synthesis pages and update logs.\n
Ingestion points: The agent reads ~/.obsidian-wiki/config, .env, index.md, hot.md, _meta/taxonomy.md, and all markdown files within the vault.\n
Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the processing logic.\n
Capability inventory: The agent has the ability to execute shell commands (grep), create and modify files (new synthesis pages, index.md, log.md, hot.md), and has access to environment variables via the .env file.\n
Sanitization: No sanitization or validation of the ingested content is performed before it is used in shell commands or file generation.

wiki-synthesize