Skills
skills/kriscard/kriscard-claude-plugins/Vault Structure & Configuration/Gen Agent Trust Hub

Vault Structure & Configuration

Warn

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The helper script scripts/read-vault-file.sh is vulnerable to path traversal. The script takes a filename as an argument and concatenates it directly to a vault path. An attacker could use ../ sequences to read arbitrary files on the system accessible to the user, such as SSH keys or configuration files.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes the content of user-provided notes from the Obsidian vault.
  • Ingestion points: Notes are read from the local filesystem via the scripts/read-vault-file.sh script or the obsidian CLI.
  • Boundary markers: No specific delimiters or instructions to ignore embedded commands are used when the agent processes note content.
  • Capability inventory: The skill can execute local shell commands (bash, obsidian) and read files.
  • Sanitization: There is no evidence of sanitization or validation of the content retrieved from the vault files.
  • [COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands and a local bash script to interact with the vault and read file contents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 25, 2026, 06:34 PM