obsidian-to-weixin
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's workflow relies on shell command templates that interpolate user-controlled variables without sanitization, posing a risk of command injection. Examples include
obsidian-cli search "<note_title>"in Step 1 andwxcli draft add --title "<note_title_or_custom_title>"in Step 6. - [EXTERNAL_DOWNLOADS]: Step 4 of the workflow downloads remote URLs found in Markdown notes using
curl. This can be exploited to perform Server-Side Request Forgery (SSRF) or fetch malicious files if the note content is untrusted. - [DATA_EXFILTRATION]: The skill reads from local paths like
~/.agents/config.yamland uses the<note_path>variable in acatcommand (cat "$vault_path/<note_path>"). Without validation, an attacker could use path traversal sequences to access sensitive files outside the intended vault directory. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from Obsidian notes.
- Ingestion points: Obsidian Markdown files (
<workdir>/note.md) and user inputs. - Boundary markers: None identified; note content and titles are processed directly.
- Capability inventory: Shell execution (
obsidian-cli,wxcli,cat), network access (curl), and file system operations. - Sanitization: No evidence of escaping or validating the content of the notes or inputs before processing.
Audit Metadata