The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted data from an Obsidian vault. A malicious note could contain instructions that trick the agent into performing unauthorized file operations.
Ingestion points: quickstart.md and use-case-1-migrate-flat-to-hierarchical.md specify processing all Markdown files in a user-provided directory (~/vault).
Boundary markers: Absent. There are no instructions to the agent to treat note content as data only or to ignore embedded natural language instructions.
Capability inventory: The skill includes scripts for moving files (migrate-structure), modifying content (process-frontmatter), and deleting folders (find ... -delete in examples).
Sanitization: Absent. While obsidian-syntax.md includes format validation (e.g., is_valid_tag), there is no sanitization against natural language command overrides.
[Dynamic Execution] (MEDIUM): The documentation encourages runtime script generation and execution.
Evidence: use-case-1-migrate-flat-to-hierarchical.md provides an embedded Python script (update_folder_metadata.py) and a python -c one-liner for execution. This pattern is risky if the generated code incorporates untrusted data from the vault notes without strict escaping.
[Command Execution] (MEDIUM): The skill heavily relies on shell commands for file system management.
Evidence: quickstart.md and the migration examples utilize find, mv, rm, and cp. If vault filenames are maliciously crafted (e.g., containing backticks or shell metacharacters), they could lead to command injection during batch processing.
[External Downloads] (LOW): The skill requires installing external dependencies.
Evidence: quickstart.md instructs the user to pip install pyyaml. Since pyyaml is a well-known package from a standard registry, this is a low-risk finding per [TRUST-SCOPE-RULE].

process