The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes shell commands using variables derived from user input or note content, which presents a risk of command injection if parameters are not properly sanitized.
Evidence: The init command uses mkdir -p "$VAULT/projects/{slug}/..." where {slug} is derived from a user-provided project name.
Evidence: The link and promote commands use qmd vsearch "{project topic}" where the search string is based on user input.
Evidence: The status command executes ls "$VAULT/projects/" to list directory contents.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes data from existing notes within the Obsidian vault to generate status reports and update index files.
Ingestion points: File SKILL.md describes workflows for status, add, and link which involve reading _index.md and component note frontmatter.
Boundary markers: Absent. There are no instructions provided to the agent to treat note content as untrusted data or to ignore embedded instructions.
Capability inventory: The skill has the ability to execute shell commands (mkdir, ls, qmd), write files ("Write tool"), and modify existing note structures.
Sanitization: Partial. While the instructions advise the agent to convert names to kebab-case slugs, there is no explicit sanitization for the content of notes being read and interpreted.

doc-vault-project