The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill exposes an eval command which allows the execution of arbitrary JavaScript within the Obsidian application context. This represents a critical risk if the agent is tricked into processing malicious code strings. (Evidence: references/command-reference.md)\n- [REMOTE_CODE_EXECUTION]: The plugin:install and theme:install commands allow the installation of unverified community-contributed extensions. This enables the execution of remote, third-party code that could be malicious. (Evidence: references/command-reference.md)\n- [COMMAND_EXECUTION]: The skill enables the use of the obsidian CLI for destructive operations, including permanent file deletion (delete with permanent flag), overwriting files (history:restore), and triggering application restarts (restart). It also includes low-level access via Chrome DevTools Protocol (dev:cdp). (Evidence: SKILL.md, references/command-reference.md)\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of reading untrusted vault data.\n
Ingestion points: Notes are ingested via read, search, and daily:read commands (SKILL.md).\n
Boundary markers: Absent. The documentation does not specify the use of delimiters or instructions to ignore content within notes.\n
Capability inventory: Includes file system modification, network navigation via web command, and arbitrary code execution via eval.\n
Sanitization: Absent. Note content is retrieved and provided to the agent without escaping or safety filtering.

obsidian-cli