obsidian-gh-knowledge
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns, hardcoded secrets, or obfuscated code were detected. The skill's behavior is consistent with its stated purpose of managing Obsidian vaults.\n- [COMMAND_EXECUTION]: The skill executes
git,gh, andobsidiancommands to manage vault data. Evidence:subprocess.runcalls inscripts/github_knowledge_skill.py,scripts/init_local_vault.py, andscripts/local_vault_git_sync.py. Commands use list-based arguments, which is a secure practice to prevent shell injection.\n- [EXTERNAL_DOWNLOADS]: The skill usesgit cloneto download Obsidian vault repositories from GitHub. Evidence:scripts/init_local_vault.py. This is restricted to user-confirmed repositories and performed via a trusted service (GitHub).\n- [DATA_EXFILTRATION]: The skill reads and writes note content to GitHub. Evidence: GitHub API calls inscripts/github_knowledge_skill.py. This is the core functionality and is used within user-defined repository scopes.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface by reading markdown files from external repositories. Evidence: 1. Ingestion points:github_knowledge_skill.py(read) andobsidian readcommand. 2. Boundary markers: None explicitly enforced in content ingestion. 3. Capability inventory: Subprocess execution of git/gh and filesystem write access. 4. Sanitization: Note content is processed as raw text. This is a low-risk architectural property common to knowledge management tools and does not escalate the verdict given the intended use case.
Audit Metadata