The Agent Skills Directory

[COMMAND_EXECUTION]: The skill falsely claims to use an 'official Obsidian CLI (v1.12+)'. This misleading metadata can trick agents or users into trusting a tool that is not vetted by the official developers and may contain malicious functionality.
[COMMAND_EXECUTION]: The skill documents and encourages the use of the obsidian eval command, which allows for the execution of arbitrary JavaScript code within the context of the Obsidian application. This provides a direct vector for unauthorized system access and manipulation.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). Ingestion points: Notes are read from the vault directory via commands like obsidian read and obsidian search. Boundary markers: No instructions are provided to the agent to differentiate between its core mission and instructions found within the processed notes. Capability inventory: The agent is granted extensive file-writing capabilities and a direct code execution tool (eval). Sanitization: There are no instructions for validating or sanitizing note content before it is used to influence agent behavior or system commands.
[EXTERNAL_DOWNLOADS]: The plugin:install command enables the agent to download and execute code from external community repositories, posing a supply-chain risk and a path for remote code execution.
[COMMAND_EXECUTION]: The dev:screenshot command allows the agent to capture and export the application's UI, which may contain sensitive personal or professional information stored in the vault.

kao-obsidian