Context
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- [Prompt Injection] (LOW): Indirect Prompt Injection surface detected (Category 8) in
SKILL.md. Untrusted data from external sources is processed by the agent context.\n - Ingestion points:
SKILL.mdidentifies that notes are read viaobs readand Telegram messages are fetched viaingest poll.\n - Boundary markers:
SKILL.mddoes not define any delimiters or instructions to ignore embedded commands when processing these external inputs.\n - Capability inventory:
SKILL.mddefines tools that can read/write files in the local Obsidian vault and access the network for Telegram and OpenAI services.\n - Sanitization:
SKILL.mdprovides no instructions for sanitizing or escaping ingested data before it is interpolated into the session context.\n- [Data Exfiltration] (LOW): The skill accesses sensitive local directories (~/Documents/personal) and configuration files (~/.claude/.env). While necessary for the skill's primary purpose of knowledge management, this grants the agent broad access to personal user documents.\n- [Command Execution] (LOW): The skill is designed to execute local CLI tools (obs.tsandingest.ts). While no arbitrary command execution or shell injection patterns were found in the markdown, the functionality depends on these external binaries.\n- [No Code] (SAFE): No executable code is provided within theSKILL.mdfile; it serves as a configuration interface for pre-installed local tools.
Audit Metadata