obsidian
Warn
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using the
obsidianCLI and a local utility script./obsidian-utils.sh. It interpolates user-controlled variables likepath,content, andquerydirectly into command arguments. This structure can lead to command injection if the input contains shell metacharacters and the platform or underlying tools do not perform sufficient sanitization.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from external files that may contain malicious instructions. - Ingestion points: Untrusted data enters the agent context through
obsidian read,obsidian search, andobsidian daily:readoperations inSKILL.md. - Boundary markers: There are no delimiters or specific instructions provided to the agent to ignore or isolate instructions found within the vault notes.
- Capability inventory: The skill possesses significant capabilities including reading, writing, and deleting files, as well as executing shell commands via the vault utilities.
- Sanitization: No sanitization or content validation mechanisms are documented to filter malicious content retrieved from notes before processing.
Audit Metadata