notesmd
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill invokes
notesmd-clito perform file system operations such as creating, reading, searching, and deleting Markdown files. This is the intended primary purpose of the skill. - EXTERNAL_DOWNLOADS (LOW): The skill references an external dependency hosted at
https://github.com/Yakitrak/notesmd-cli. This repository does not belong to the list of Trusted External Sources, although the skill does not automate its installation. - DATA_EXFILTRATION (LOW): The skill provides the agent with access to potentially sensitive personal information stored within Obsidian vaults. While no malicious exfiltration code is present, the exposure of private notes to the agent's context is a prerequisite for the skill's functionality.
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core functionality.
- Ingestion points: Untrusted content enters the agent's context via the
printandsearch-contentcommands which read the full body of Markdown notes. - Boundary markers: Absent. The skill provides no delimiters or specific instructions to help the agent distinguish between its own system prompt and content retrieved from notes.
- Capability inventory: The agent has the ability to delete files (
delete), move/rename files (move), and modify file content (create --overwrite,frontmatter --edit). - Sanitization: Absent. Note content is processed without validation or filtering.
Audit Metadata