obsidian-vault-manager
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently invokes the obsidian-cli tool via shell commands for vault operations. It also incorporates standard utilities like grep, sed, cat, and echo to manipulate and process note data within bash workflows.\n- [EXTERNAL_DOWNLOADS]: The skill's setup instructions recommend installing the @johnlindquist/obsidian-cli package globally via npm. This involves downloading and installing third-party software from a public registry that is not maintained by the skill author.\n- [PROMPT_INJECTION]: The skill processes untrusted data from existing Obsidian notes, creating a vulnerability to indirect prompt injection. Malicious instructions embedded in notes could potentially influence the agent's behavior during note reading or editing operations.\n
- Ingestion points: The obsidian-cli print command is used to read note contents into the agent's context (documented in SKILL.md and obsidian-cli-reference.md).\n
- Boundary markers: No specific delimiters or instructions to ignore embedded commands are defined when the agent processes note content.\n
- Capability inventory: The agent can write to the vault (obsidian-cli create), move/rename files (obsidian-cli move), and perform full-text searches (obsidian-cli search-content).\n
- Sanitization: There is no evidence of content sanitization or validation to prevent the execution of instructions found within the ingested markdown files.
Audit Metadata