obsidian-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted external data (highlights and transcripts) which provides a vector for attacking the agent.
- Ingestion points: Vault data in the Readwise/ and Snipd/ folders, which are synced from external services.
- Boundary markers: None identified. The skill lacks instructions to treat vault content as data rather than instructions.
- Capability inventory: Allowed tools include Read, Write, Bash, Glob, and Grep.
- Sanitization: No sanitization or validation logic is defined for the content being read or written.
- Command Execution (HIGH): The skill utilizes the Bash tool to execute scripts via uv run. This execution surface can be combined with indirect prompt injection to run arbitrary code on the user's system.
- Data Exposure (MEDIUM): The skill is configured to access a specific sensitive path (
/Library/Mobile Documents/iCloudmd~obsidian/Documents/Personal_Notes/) containing personal knowledge storage. The presence of the Bash tool alongside access to these files increases the risk of exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata