obsidian-canvas-architect
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its processing of untrusted Obsidian vault files.
- Ingestion points: The
read_canvasfunction inscripts/canvas_ops.py, theread_notefunction inscripts/vault_ops.py, and theanalyzecommand inobsidian-parser/parser.pyall ingest external file content. - Boundary markers: Script outputs do not include boundary markers or explicit instructions to distinguish vault content from system instructions.
- Capability inventory: The skill has the ability to perform file writes and renames via
scripts/canvas_ops.pyandscripts/vault_ops.py. - Sanitization: Content retrieved from vault files is returned to the agent without filtering or sanitization.
- [COMMAND_EXECUTION]: The skill performs file modifications including writing and renaming using Python's
osandpathlibmodules. While these are necessary for its primary purpose, the implementation lacks path validation for the--fileinput, potentially allowing an agent to manipulate files at any path accessible to the script environment.
Audit Metadata