obsidian-batch
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is susceptible to Indirect Prompt Injection because it reads and processes user-controlled markdown files while possessing high-privilege file system capabilities. An attacker could place malicious instructions in a note to influence the agent's behavior during vault-wide operations. 1. Ingestion points: Vault markdown files located in the user's vault directory. 2. Boundary markers: None identified in the provided syntax or processing logic. 3. Capability inventory: Bulk file writes, moves, and recursive deletions. 4. Sanitization: None evidenced in the provided regex-based parsing logic.
- COMMAND_EXECUTION (LOW): The documentation includes various CLI commands for vault management and a Python snippet for updating metadata. These operations involve direct file system manipulation and potential data loss if misconfigured, though safety measures like backups and dry-runs are suggested as best practices.
Audit Metadata