The Agent Skills Directory

[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface through its processing of note metadata and frontmatter properties. An attacker could embed instructions in a note's properties that the agent might follow when parsing those notes to generate or modify configurations. 1. Ingestion points: Metadata from all files in the vault and note frontmatter accessed via the 'file.properties' and 'note' namespaces in SKILL.md. 2. Boundary markers: Absent; there are no instructions to use delimiters or specific 'ignore instructions' directives when handling data from note properties. 3. Capability inventory: The agent can perform extensive file reads across the vault and write new .base files to the filesystem. 4. Sanitization: Absent; the instructions do not specify any validation or sanitization of data extracted from notes before it is used in YAML configuration or formula expressions.
[COMMAND_EXECUTION]: The skill defines a domain-specific language for formulas and filters which includes an 'html()' function for rendering content from note properties directly. This enables a dynamic execution surface where untrusted data from note properties could be rendered as HTML, potentially leading to local Cross-Site Scripting (XSS) within the Obsidian interface if the agent processes maliciously crafted note metadata.

kepano-obsidian-bases