obsidian-knowledge-factory
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to Indirect Prompt Injection.
- Ingestion points:
io_utils.pyreads content from files (Markdown, Text, PDF, DOCX, and OCR from images) located in the user'sinboxfolder. - Boundary markers: Absent. The function
build_user_promptindisassembler.pyappends the raw file content directly to the prompt without any delimiters or 'ignore embedded instructions' warnings. - Capability inventory: The system writes files to the local disk and archives source files based on the LLM's output. An attacker could craft a file in the inbox to redirect writing to arbitrary categories or inject malicious content.
- Sanitization: No sanitization is performed on the file content before it is sent to the LLM.
- Dynamic Execution (MEDIUM): The file
engine/validator.pyusesast.literal_evalwithin thedirty_json_cleanfunction to parse the LLM's output if standard JSON parsing fails. While safer thaneval(), using a Python literal evaluator on untrusted data from an LLM is a dynamic execution risk and can be used for denial-of-service or logic bypass if the model is manipulated. - Data Exposure & Exfiltration (LOW): The skill's primary function involves reading the entire contents of files in the
inboxand sending them to an external endpoint (OPENAI_BASE_URL). While this is the intended behavior, users should be aware that all processed data is transmitted to the configured API provider. - Unverifiable Dependencies (LOW): The skill relies on
paddleocrfor image processing (mentioned inio_utils.pyand theREADME.md), but this package is not locked to a specific version inrequirements.txt. - Missing Files: The core logic file
engine/pipeline.pyreferenced inmain.pywas not provided in the source files, limiting the audit's visibility into the final file-writing and archiving logic.
Audit Metadata