obsidian-bases
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
- Ingestion points: The agent is instructed to access note metadata, frontmatter, and file properties via fields like
file.propertiesandfile.path(File: SKILL.md). - Boundary markers: Absent; there are no instructions provided to the agent to distinguish between data content and potential malicious instructions embedded within note properties.
- Capability inventory: The agent can create and modify
.basefiles which define the logic for views, filters, and formulas. - Sanitization: Absent; although the documentation mentions an
escapeHTML()function for user formulas, there is no requirement or instruction for the agent to sanitize note data before it is ingested and processed. - [SAFE]: The skill contains reference links to official Obsidian documentation at
help.obsidian.md, which is a well-known and trusted service for this application context.
Audit Metadata