obsidian
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'obsidian-cli' tool via a third-party Homebrew tap ('yakitrak/yakitrak/obsidian-cli'). This introduces a dependency on external code from a source that is not included in the trusted vendor list.
- [COMMAND_EXECUTION]: The skill relies on shell commands to interact with the local filesystem and Obsidian configuration. It explicitly instructs the agent to read '~/Library/Application Support/obsidian/obsidian.json' and use 'obsidian-cli' for operations such as search, create, move, and delete.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes user-controlled Markdown files.
- Ingestion points: Data enters the agent's context when 'obsidian-cli search-content' is used to retrieve text from within vault notes.
- Boundary markers: The skill does not define delimiters or specific instructions for the agent to ignore potentially malicious commands embedded in note content.
- Capability inventory: The skill provides capabilities to write, rename, and delete files, which could be exploited if an agent follows instructions found within a searched note.
- Sanitization: There is no evidence of sanitization or filtering of note content before it is processed by the agent.
Audit Metadata