Skills
skills/treylom/knowledge-manager/Knowledge Manager Setup/Gen Agent Trust Hub

Knowledge Manager Setup

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The configure_claude_mcp function in SKILL.md uses the Bash() command to execute shell strings that include interpolated user input (vaultPath).
  • Evidence: Bash(claude mcp add obsidian ... -e OBSIDIAN_VAULT_PATH="${vaultPath}" -- npx -y @huangyihe/obsidian-mcp).
  • Risk: There is no sanitization or escaping of the vaultPath variable. An attacker (via indirect prompt injection) or a malicious user could provide a path containing shell metacharacters (e.g., "; touch /tmp/pwned; #) to execute arbitrary commands with the user's privileges.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill automatically installs and executes Node.js packages using npx -y during the configuration process.
  • Evidence: npx -y @huangyihe/obsidian-mcp.
  • Risk: While @modelcontextprotocol/server-playwright is a known official package, @huangyihe/obsidian-mcp is a package from an individual developer's registry and is not on the Trusted Sources list. This introduces risk of supply chain compromise or malicious code execution from an unverified source.
  • [REMOTE_CODE_EXECUTION] (HIGH): The combination of the shell injection vulnerability and the use of npx -y allows for remote code execution if the setup process is triggered with malicious input.
  • [DATA_EXPOSURE] (MEDIUM): The skill reads and modifies ~/.gemini/antigravity/mcp_config.json, which is a sensitive configuration file that often contains API keys or environment-specific tokens for other MCP servers.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:52 AM