The Agent Skills Directory

[PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) as it processes untrusted user chat content to generate structured documents. Evidence Chain: (1) Ingestion point: AI chat history processed in Step 1. (2) Boundary markers: No explicit instructions or delimiters are used to prevent the agent from following instructions embedded within the chat content. (3) Capability inventory: The skill utilizes file reading and writing (create_file) tools in Steps 4 and 5. (4) Sanitization: While there is basic filtering for illegal filename characters, there is no sanitization or validation of the note body content itself.\n- [COMMAND_EXECUTION] (LOW): The skill interacts with the local file system by reading and writing to a hardcoded Windows path (D:/Documents/Knowledge Base/Readme/). While the base path is fixed, the subdirectories and filenames are derived from AI-interpreted chat content. Although the skill instructs the agent to avoid specific special characters in filenames (e.g., /, \, :), the use of unvalidated, user-influenced data for file path construction presents a surface for minor directory traversal or unintended file placement.

chat-to-obsidian-note