obsidian
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute shell commands for Git operations (git add, commit, push, pull, init) and vault management via the Obsidian CLI (obsidian read, open, search, daily).
- [COMMAND_EXECUTION]: System environment and process states are verified using commands such as pgrep and tasklist.
- [COMMAND_EXECUTION]: The skill documentation recommends that users or agents configure periodic backups using platform-specific schedulers like cron, launchd, or Windows Task Scheduler.
- [DATA_EXFILTRATION]: Local vault data is intended to be synchronized with external Git repositories via git push and gh repo create operations. This behavior is the stated purpose of the 'Git Sync Mode'.
- [EXTERNAL_DOWNLOADS]: The functionality relies on the presence of external tools and binaries, specifically the Git CLI, the GitHub CLI (gh), and the Obsidian application executable.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted markdown content from the Obsidian vault. 1. Ingestion points: Vault notes are read and processed through the read_note, read_multiple_notes, and search_notes tools. 2. Boundary markers: The instructions do not specify the use of delimiters (e.g., XML tags) or instructions to disregard embedded commands when the agent processes note content. 3. Capability inventory: The agent has extensive capabilities, including file system modification (write_note, patch_note, delete_note) and shell command execution (Git and Obsidian CLI). 4. Sanitization: There is no requirement or method defined for sanitizing or validating note content before it is processed or used by the agent.
Audit Metadata