obsidian-clipper-template-creator
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill employs the
WebFetchtool to ingest untrusted HTML from external URLs (documented inreferences/analysis-workflow.md). This allows an attacker to host a page with malicious instructions hidden in Schema.org data, meta tags, or content that could override the agent's system prompt or session logic. - Ingestion points: The
WebFetchfunction call inreferences/analysis-workflow.mdretrieves arbitrary external data. - Boundary markers: Absent. There are no instructions or delimiters provided to the agent to treat fetched HTML as untrusted data or to ignore instructions contained within it.
- Capability inventory: The skill possesses the ability to read local files (
Templates/Bases/) and perform network fetches viaWebFetch. - Sanitization: Absent. The agent is instructed to parse raw HTML for data extraction without filtering or validation.
- Data Exposure (MEDIUM): The skill is designed to read local
.basefiles from the user's filesystem (Templates/Bases/*.base) as part of its core workflow (documented inSKILL.mdandreferences/bases-workflow.md). While these files are intended for template creation, the explicit instruction to access the local filesystem creates a pathway for data exposure if an attacker successfully executes a prompt injection. - Command Execution (LOW): The skill relies on the
WebFetchtool to interact with the network. While this is a standard capability for this type of agent, it represents a tool-use command that can be chained with other vulnerabilities.
Recommendations
- AI detected serious security threats
Audit Metadata