The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the obsidian CLI to perform a wide range of vault operations, including reading, creating, and modifying notes. This provides the agent with broad access to the file system and application state within the context of the running Obsidian instance.\n- [REMOTE_CODE_EXECUTION]: The obsidian eval code="..." command allows for the execution of arbitrary JavaScript code directly within the Obsidian application context. This is a high-risk capability that could be exploited to perform unauthorized actions, access internal app APIs, or modify the user's environment if the agent processes a malicious request.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and searches vault content using obsidian read and obsidian search. Ingestion points include any note in the vault (SKILL.md), and there are no boundary markers or sanitization procedures defined to distinguish between user data and instructions. This is particularly risky given the skill's capabilities like obsidian eval and obsidian create (SKILL.md).\n- [DATA_EXFILTRATION]: The skill's ability to read note content, capture screenshots (obsidian dev:screenshot), and inspect the DOM (obsidian dev:dom) provides a clear path for accessing sensitive information. While no external network exfiltration destination is hardcoded, the agent could be directed to read this data and then transmit it elsewhere using other tools.

kepano-obsidian-cli