obsidian-plan-wiki
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides specific shell command templates for the agent to execute. These include using
rg(ripgrep) for searching documentation,lnfor creating symlinks for configuration files, and external CLI tools liketk(ticketing) andtinychange(changelog management) to maintain project state. - [PROMPT_INJECTION]: The instructions contain strong behavioral directives such as "Follow the instructions literally" for handbook lookups and "Do not stop... finish the job" for autonomous work. While intended to ensure process compliance, such directives are designed to override default agent behavior.
- [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: The agent is instructed to read and follow content from multiple locations within the
docs/directory, including feature specifications, handbooks, and research files. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat external content as untrusted or to ignore embedded instructions within the markdown files.
- Capability inventory: The skill allows for local shell command execution (
rg,tk,tinychange) and file system modifications (creation, renaming, symlinking). - Sanitization: There is no evidence of validation or escaping for identifiers (such as Johnny Decimal IDs or ticket descriptions) before they are passed to shell commands.
Audit Metadata