obos
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection surface (Category 8).
- Ingestion Points: The skill regularly reads and processes external, untrusted content from the
Clippings/,Inbox/, andNotes/directories across multiple commands (sync.md,ask.md,tidy.md,refine.md, anddraft.md). - Boundary Markers: There are no defined delimiters or 'ignore' instructions specified in the prompts when the agent reads note content to generate summaries, outlines, or indices.
- Capability Inventory: The skill is granted instructions to read, write, and move files within the user's filesystem, as well as summarize and synthesize answers from gathered data.
- Sanitization: No sanitization is performed on ingested note content before it is interpolated into agent reasoning or written to index files.
- PROMPT_INJECTION (HIGH): Persistent context poisoning through CLAUDE.md.
- Evidence:
commands/sync.md(Step 4) explicitly instructs the agent to update theCLAUDE.mdfile with 'Recent Activity' and 'Active Topics' derived from note titles and summaries. SinceCLAUDE.mdoften serves as a system-level configuration or context file for agents, malicious content placed in a note could persistently compromise the agent's instructions every time the vault is accessed. - DATA_EXFILTRATION (LOW): Arbitrary directory access via vault registration.
- Evidence:
commands/vault.mdallows the registration of arbitrary filesystem paths as 'vaults'. While the skill checks for a.obsidian/folder, it does not strictly enforce this, potentially allowing an agent to be directed to monitor or index sensitive system directories if a user is tricked into providing a specific path.
Recommendations
- AI detected serious security threats
Audit Metadata