obsidian-second-brain
Fail
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation in
SKILL.mdandreferences/install.mdexplicitly instructs users to perform installation by piping a remote shell script from GitHub directly into bash (curl -fsSL ... | bash). - [EXTERNAL_DOWNLOADS]: The installation and setup processes rely on downloading external scripts and cloning repositories from GitHub, as seen in
scripts/install.shand the installation guides. - [COMMAND_EXECUTION]: The
scripts/install.shscript usesjqto programmatically modify the~/.jeo/config.jsonfile. This action registers a persistentpost-turnhook that executes a validation script whenever tools are used, which is a form of automated persistence. - [COMMAND_EXECUTION]: The skill uses various high-leverage CLI tools including
git,npx, anduvto manage the environment and install dependencies. - [PROMPT_INJECTION]: The
/obsidian-ingestfeature introduces a surface for indirect prompt injection. By fetching and processing content from external URLs, PDFs, and media transcripts, the skill could ingest malicious instructions that manipulate how the AI agent summarizes or rewrites vault content. - Ingestion points:
references/commands.mddescribes/obsidian-ingesttaking URLs and files as input. - Boundary markers: No explicit prompt delimiters or instructions to ignore embedded commands were found in the provided files.
- Capability inventory: The skill has broad permissions including
Bashexecution and full file system access (Read,Write,Edit). - Sanitization: There is no evidence of sanitization or filtering of external data before it is processed by the AI to update the vault.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/akillness/obsidian-second-brain/main/scripts/quick-install.sh - DO NOT USE without thorough review
Audit Metadata