vault-ops
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill has a significant indirect prompt injection surface. It explicitly instructs the agent to read and prioritize instructions from an
AGENTS.mdfile found at the root of any selected vault. This allows untrusted data within a vault to override the agent's instructions. Evidence: Ingestion points includeAGENTS.mdand referenced files (SKILL.md); boundary markers are absent; the agent possesses file read/write and shell execution capabilities; no sanitization is specified for vault content. - [COMMAND_EXECUTION]: The skill relies on the execution of local shell commands. It provides templates for using
ripgrep(rg) to search through notes, frontmatter, and links. - [DATA_EXFILTRATION]: The skill accesses local configuration files to discover vault paths. It reads
~/.vault-ops.jsonand Obsidian-specific application configuration files (e.g.,obsidian.json) across macOS, Windows, and Linux. While this is the intended purpose of the skill, it involves accessing system-level application data.
Audit Metadata