obsidian
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to run
npx github:gapmiss/obsidian-plugin-skill create-plugin. This command downloads and executes code directly from an unverified third-party GitHub repository, bypassing standard package registry security checks. - [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to interact with the system, including running theobsidianCLI, executingnpm/npxcommands, and triggering developer tools likeobsidian devtoolsorobsidian eval. - [EXTERNAL_DOWNLOADS]: The skill installs external Node.js packages (
eslint-plugin-obsidianmd) and pulls skill content from GitHub during installation or boilerplate generation. - [PROMPT_INJECTION]: There is a clear surface for indirect prompt injection as the skill reads untrusted markdown data from an Obsidian vault and subsequently uses high-capability tools.
- Ingestion points: Local markdown files are read using the
obsidian readCLI command as documented inreferences/cli-automation.md. - Boundary markers: No delimiters or safety instructions are provided to prevent the agent from following malicious instructions found within the read notes.
- Capability inventory: The skill is granted
Bash,Write,Edit, andWebFetchtools, allowing an attacker to potentially escalate from a note read to system commands or data exfiltration. - Sanitization: Content read from the vault is processed without escaping or validation.
Recommendations
- AI detected serious security threats
Audit Metadata