The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the Intent Router. 1. Ingestion points: Untrusted web content is ingested through the defuddle skill or WebFetch tool when processing URLs provided by users. 2. Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands within the fetched content. 3. Capability inventory: The agent has extensive write permissions via the obsidian CLI (create, append, task completion) and local file system access through the Section Editing Protocol. 4. Sanitization: There is no evidence of sanitization or safety filtering for the external data before it is integrated into the vault logic.
[REMOTE_CODE_EXECUTION]: The skill utilizes dynamic execution by loading secondary skills from computed paths. In the Skill Delegation section, it points to a directory within the vault root ($(obsidian vault=MyObsidian info=path)/.agents/skills/) to find additional tools like obsidian-markdown and json-canvas. This could allow an attacker to execute malicious logic if they can trick a user into placing files in the vault.
[COMMAND_EXECUTION]: The skill relies on the obsidian CLI and local file editing tools to modify the vault. While this is the intended functionality, the lack of isolation between the processing of untrusted web data and these powerful commands presents a risk of unauthorized vault modifications.

obsidian-knowledge