recall
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill performs direct interpolation of the user-provided $QUERY argument into shell-like grep patterns. If the underlying execution environment does not properly escape this input, an attacker could inject additional commands or grep flags to execute arbitrary code or read sensitive files.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It is designed to read and summarize content from external Markdown files which are considered untrusted data. 1. Ingestion points: Matching files found in the vault paths. 2. Boundary markers: Absent; there are no delimiters or instructions to treat the file content as data only. 3. Capability inventory: File reading and conversational summarization of content. 4. Sanitization: Absent; content is processed and presented to the agent directly. A malicious memory file could contain instructions that redirect the agent's behavior upon being read.
- [DATA_EXFILTRATION] (MEDIUM): While scoped to the AI/Memory directory, the lack of path validation on the query or type filter could potentially lead to path traversal if the search tool allows it, exposing sensitive files elsewhere in the Obsidian vault.
Recommendations
- AI detected serious security threats
Audit Metadata