The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute bash commands, specifically 'find "$VAULT_PATH" -name "note-name.md"'. Because the note name and vault path variables are derived from user input and environmental configuration without sanitization, an attacker could provide a malicious name containing shell metacharacters (e.g., ';', '&', '||') to execute arbitrary commands.
[REMOTE_CODE_EXECUTION]: The skill uses a 'python3 -c' command to validate the generated JSON file: 'python3 -c "import json; json.load(open('$CANVAS_PATH'))"'. Since '$CANVAS_PATH' is constructed from a user-specified canvas name, this creates a Python code injection vulnerability if the file name contains characters that escape the string literal and execute additional Python code.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted user descriptions and note references which are then used to perform file system operations and command execution. * Ingestion points: User intent descriptions for canvas creation and vault note names. * Boundary markers: No delimiters or instructions are provided to the agent to treat user data as untrusted. * Capability inventory: Bash (ls, find, cat), file system write/read access, and Python code execution via shell. * Sanitization: There is no evidence of sanitization, escaping, or validation of user-provided content before it is processed or used in system commands.

obsidian-canvas-create