obsidian-gh-knowledge
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because its core operating rules (in both SKILL.md and AGENTS.md) direct the agent to read and follow an
AGENTS.mdfile located within the repository being managed. This allows the content of a potentially untrusted file to override the agent's default behavior.\n - Ingestion points: The skill ingests untrusted data from the repository's
AGENTS.mdfile using thereadcommand inscripts/github_knowledge_skill.py.\n - Boundary markers: There are no boundary markers or instructions to ignore embedded commands when the agent reads the
AGENTS.mdfile.\n - Capability inventory: The skill has significant capabilities, including reading, writing, moving, and deleting files in a repository via the
ghCLI, as well as local filesystem access.\n - Sanitization: The skill does not perform any validation or sanitization of the content within
AGENTS.mdbefore adopting it as operating instructions.\n- [COMMAND_EXECUTION]: The Python scriptscripts/github_knowledge_skill.pyexecutes system commands using thegh(GitHub CLI) utility.\n - Evidence: Subprocess calls in
GitHubKnowledgeManager.run_gh_commandusesubprocess.runwith list-formatted arguments, which prevents shell injection by ensuring parameters are handled as distinct arguments rather than part of a shell string.\n - Scope: The command execution is limited to operations supported by the GitHub CLI and target specific repositories provided by the user or found in the local configuration file.
Audit Metadata