obsidian
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes external note content. Ingestion points: The skill retrieves data from the Obsidian vault using 'obsidian read' and 'obsidian-utils.sh' (SKILL.md). Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the retrieved text. Capability inventory: The skill has the ability to write files, modify properties, and delete content across the vault. Sanitization: No sanitization or validation of the retrieved note content is performed before processing.
- [COMMAND_EXECUTION]: The skill relies on executing shell commands via the 'obsidian' CLI and the 'obsidian-utils.sh' script. User-provided data, such as file paths, search queries, and note content, is interpolated directly into these shell commands. This creates a surface for command injection if the underlying tools or the shell environment do not adequately sanitize these inputs.
Audit Metadata