obsidian-session-sync
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by reading data from external files that may contain attacker-controlled instructions.
- Ingestion points: The skill reads from $VAULT_PATH/CLAUDE.md, daily notes, and breadcrumbs in SKILL.md.
- Boundary markers: No delimiters or ignore-instructions warnings are applied to the ingested content.
- Capability inventory: Includes file:write and bash tools (cat, grep, find) across the session sync flow.
- Sanitization: There is no evidence of sanitization or validation of content retrieved from the vault files.
- [COMMAND_EXECUTION]: The skill uses allowed shell commands including cat, grep, and find to read vault state and verify existing files. These commands are used for legitimate state assessment but represent the mechanism by which untrusted data enters the agent's context.
Audit Metadata