obsidian-ops

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs AI agents to fetch and pull content from public third-party repositories (the six core Obsidian GitHub repos named in references/sync-procedure.md and references/quick-sync-guide.md) and to read files like AGENTS.md and docs to drive syncs, updates, and release decisions, which exposes the agent to untrusted external content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime git operations (e.g., git pull / git clone / "add ref") that fetch content from external GitHub repositories — for example https://github.com/obsidianmd/obsidian-api and https://github.com/obsidianmd/obsidian-sample-plugin (and the other listed core repos) — and that fetched content is explicitly used to update .agents/ instruction files, so remote content can directly control agent prompts.