obsidian
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it is designed to read and reason over untrusted content from an Obsidian vault (e.g., in
assets/modes/READ.md). - Ingestion points: The skill ingests untrusted data via the
ReadandGreptools when searching or reading notes (e.g.,READ_NOTE,SEARCH_TEXToperations). - Boundary markers: The skill includes mitigation instructions in
assets/modes/READ.md(Rule 1) to quote relevant passages and distinguish between note content and the agent's interpretation. - Capability inventory: The skill has access to
Bash,Write, andEdit, allowing it to modify files or execute shell commands based on its analysis. - Sanitization: No explicit sanitization of ingested note content is performed before processing.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to perform vault operations such as directory creation, file moving, and deletion (e.g.,assets/modes/SYNC.md). These commands use string interpolation of paths (e.g.,rm '{vault_path}/{file_path}'), which could potentially be manipulated if note metadata or user-provided paths contain shell-sensitive characters, although the use of single quotes provides a basic layer of protection.
Audit Metadata