obsidian-search
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
SKILL.mdandreferences/cli-query-patterns.mdguide the agent to construct Bash commands using user-provided strings for query parameters and file names (e.g.,obsidian search query="关键词"). This design is vulnerable to shell command injection if the agent does not strictly escape metacharacters such as backticks, semicolons, or command substitutions within the user input. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of reading and summarizing notes.
- Ingestion points: The agent retrieves untrusted data from the Obsidian vault using
obsidian readandobsidian search:contextas specified inSKILL.md. - Boundary markers: Absent. The instructions do not provide delimiters or specific warnings to ignore instructions embedded within the note content.
- Capability inventory: The skill possesses the capability to execute system commands via Bash and read arbitrary files within the vault directory.
- Sanitization: Absent. Note content is processed and summarized without any validation, escaping, or filtering for potential adversarial instructions.
Audit Metadata