obsidian
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): The skill architecture is well-structured and follows standard Claude Code extension patterns for agent-based workflows. No obfuscation or malicious intent was found.\n- [COMMAND_EXECUTION] (SAFE): Employs local shell and Python scripts for vault detection and file validation. Validation logic in
scripts/validate-base.shusesyaml.safe_load()to prevent potential remote code execution from malicious YAML input.\n- [DATA_EXFILTRATION] (SAFE): User preferences and feature usage patterns are tracked locally in the.claude/obsidian-memory.jsonfile. Data collection is limited to feature telemetry (e.g., counting callouts or wikilinks), and no external network exfiltration was detected.\n- [INDIRECT_PROMPT_INJECTION] (SAFE): The skill interacts with user-controlled files (.md, .base, .canvas), creating a surface for indirect prompt injection. However, it processes these files using restricted pattern matching and standard agent safety boundaries.\n - Ingestion points: Agents use
Read(*)permissions andpost-tool-use.shparses tool results.\n - Boundary markers: Absent in agent instructions but mitigated by model-level guardrails.\n
- Capability inventory: Agents have access to
Write,Edit, and restrictedBashpermissions.\n - Sanitization: Content is analyzed via
grepfor pattern tracking without execution or direct interpolation into system prompts.
Audit Metadata