json-canvas
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a standard data-processing extension that follows the JSON Canvas 1.0 specification. All external links point to official project documentation and repositories (jsoncanvas.org and github.com/obsidianmd).\n- [PROMPT_INJECTION]: The skill processes user-supplied JSON files, which is a surface for indirect prompt injection. However, the skill restricts its operations to structural data modification and lacks high-risk capabilities (like shell execution or network access) that could be leveraged by an attacker.\n
- Ingestion points: Parsing of existing
.canvasfiles in 'Add a Node' and 'Edit an Existing Canvas' workflows (SKILL.md).\n - Boundary markers: Absent; the skill does not instruct the agent to ignore instructions embedded in node text.\n
- Capability inventory: No subprocess calls, network operations, or high-privilege file system access are defined.\n
- Sanitization: None described; the skill relies on standard JSON parsing.
Audit Metadata