obsidian
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes a local binary (
obsidian) to perform vault operations, including note creation, deletion, and knowledge graph analysis. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by reading arbitrary text from markdown files in the user vault.
- Ingestion points: Content is read via the
obsidian readcommand,obsidian searchfunctionality, and fallbackReadandGreptools. - Boundary markers: No delimiters or specific instructions are provided to distinguish between stored data and agent instructions.
- Capability inventory: The agent can create, move, and delete files, as well as execute various CLI subcommands based on ingested data.
- Sanitization: There is no evidence of data sanitization or validation for content retrieved from the vault files.
- [DATA_EXFILTRATION]: The skill contains a hardcoded absolute directory path (
/Users/maroffo/Library/Mobile Documents/iCloud~md~obsidian/Documents) that reveals a local system username.
Audit Metadata