obsidian-brain
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several local shell scripts (init-vault.sh, capture.sh, query-links.sh, safe-write.sh) to manage the Obsidian vault. These scripts utilize standard command-line tools such as git, ripgrep (rg), grep, and sed.
- [DATA_EXFILTRATION]: The skill reads data from local markdown files in various vault directories (notes, daily, tasks, etc.) for context loading and planning. It contains no network-capable operations or external API calls, ensuring data remains local to the user's filesystem.
- [PROMPT_INJECTION]: The skill processes user-generated content from the vault, creating an attack surface for indirect prompt injection. Ingestion points: All markdown files in the human and AI zones. Boundary markers: Lacks explicit content delimiters in prompts. Capability inventory: Full read access to vault files; write access restricted to the ops/ directory via safe-write.sh. Sanitization: Path-level validation only.
- [SAFE]: The safe-write.sh script correctly implements security best practices to prevent directory traversal and zone escapes. It uses canonical path resolution, rejects relative '..' paths, and validates that target files are not symlinks pointing outside the designated AI write zone.
Audit Metadata