vault-synthesis
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to read, interpret, and aggregate content from various vault notes (e.g., daily logs, project notes) to create summaries and 'History' notes. This creates a significant attack surface.
- Ingestion points: Uses
obsidian-cli search-contentandrgto find and read notes from directories like01-Daysand03-Records(referenced inhistory-rollup.mdandtopic-note.md). - Boundary markers: Absent. The instructions do not specify any delimiters or safety prompts to prevent the agent from obeying instructions found inside the notes it analyzes.
- Capability inventory: The agent can execute shell commands (
obsidian-cli,rg), create new files (obsidian-cli create), and modify existing YAML frontmatter. A malicious note could contain instructions that hijack these capabilities. - Sanitization: Absent. The workflow encourages 'context-aware' extraction of narrative content, which increases the likelihood of an agent obeying embedded instructions.
- [Command Execution] (MEDIUM): The skill relies on executing external shell commands to perform its duties. While these are intended for vault management, they represent a risk if command arguments are derived from untrusted note content.
- Evidence: References to
rg(ripgrep) andobsidian-cliinhistory-rollup.mdandtopic-note.mdfor searching and creating files. - [Data Exposure] (LOW): The skill is designed to search through personal notes in a vault. While this is its stated purpose, it facilitates broad access to sensitive information stored within the notes, which could be exfiltrated if combined with a prompt injection or network-enabled tool.
Recommendations
- AI detected serious security threats
Audit Metadata