obsidian-vault-manager
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/obsidian_cli.pyusessubprocess.runto execute an externalobsidianbinary with arguments dynamically generated by the agent. This is the primary mechanism for vault interaction and allows for executing a range of Obsidian CLI commands on the local system. - [PROMPT_INJECTION]: The skill facilitates reading and searching through user-controlled Markdown notes in local vaults, creating a surface for indirect prompt injection where malicious content in a note could attempt to influence agent behavior.
- Ingestion points: Note content is ingested into the agent context via the
obsidianCLI through scripts likescripts/obsidian_cli.py(e.g., using search or read commands). - Boundary markers: The instructions in
SKILL.mddo not specify explicit delimiters or "ignore embedded instructions" warnings for the agent when processing retrieved note content. - Capability inventory: The skill possesses the capability to execute system commands via
subprocess.run(inscripts/obsidian_cli.py) and perform file system operations (read/write/delete) across the vault. - Sanitization: There is no evidence of sanitization or filtering of note content before it is presented to the agent for processing.
Audit Metadata