obsidian-gh-knowledge

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's GitHub mode (described in SKILL.md under "GitHub mode fallback" and implemented in scripts/github_knowledge_skill.py) explicitly calls the GitHub CLI/API to list, read, and search files from arbitrary repos specified by --repo (and references/obsidian-organizer.md uses those read/list/move flows), meaning the agent fetches and interprets untrusted, user-provided GitHub repository content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly clones and accesses arbitrary GitHub repos at runtime (for example: https://github.com/karlorz/obsidian_vault) and then reads repo files (e.g., AGENTS.md) that can alter agent behavior and runs scripts from the checked-out vault (python3 "$VAULT_DIR/..."), so the remote repo URL is a runtime dependency that can control prompts or execute code.