obsidian-vault-crud
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The script 'scripts/vault_ops.py' is vulnerable to path traversal. It accepts a '--file' argument and uses it directly in filesystem operations without validating that the resulting path is contained within the intended 'VAULT_ROOT'. This allows for unauthorized reading of sensitive files anywhere on the filesystem that the process has permissions to access.
- [COMMAND_EXECUTION]: Due to the lack of path validation in 'scripts/vault_ops.py', the tool could be used to write or append to arbitrary filesystem locations. This capability could be exploited to modify sensitive configuration files (e.g., .bashrc, .zshrc, or .ssh/authorized_keys) to achieve persistence or facilitate unauthorized command execution.
- [EXTERNAL_DOWNLOADS]: The skill specifies a dependency on the 'ruamel.yaml' Python package (referenced as 'ruamel' in metadata). This is a well-known and trusted library for handling YAML data and is considered a safe dependency.
- [PROMPT_INJECTION]: The skill manages untrusted note content, creating an indirect prompt injection surface. 1. Ingestion points: Note content is read via the 'read_note' function in 'scripts/vault_ops.py'. 2. Boundary markers: YAML frontmatter is delimited by triple dashes, but the note body lacks specific boundary markers. 3. Capability inventory: The skill performs filesystem writes via the 'atomic_write', 'create_note', 'update_note', and 'append_to_note' functions in 'scripts/vault_ops.py'. 4. Sanitization: No sanitization or filtering of note content is performed as the tool is designed for transparent storage.
Recommendations
- AI detected serious security threats
Audit Metadata