obsidian-structure
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from the user's Obsidian vault. \n
- Ingestion points: The
scripts/structure.pyscript recursively reads every markdown file (.md) in the vault to parse frontmatter and wikilinks. \n - Boundary markers: The script output is provided to the AI context without protective delimiters or instructions to ignore embedded commands found within the processed notes. \n
- Capability inventory: The AI agent is authorized to create and manage files across multiple vault directories, creating a significant action surface if an injection occurs. \n
- Sanitization: No sanitization is performed on the filenames, tags, or links extracted from the notes before they are presented to the AI context.\n- [COMMAND_EXECUTION]: The skill executes a local Python script to analyze the vault structure. \n
- Evidence: The
SKILL.mdfile defines a command to runpython3 .claude/skills/obsidian-structure/scripts/structure.py. While the path is local and the script is bundled with the skill, it allows the agent to execute code that accesses the local filesystem.
Audit Metadata