skills/akillness/jeo-skills/obsidian/Gen Agent Trust Hub

obsidian

Fail

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides instructions to run npx github:gapmiss/obsidian-plugin-skill create-plugin. This command downloads and executes code directly from an unverified third-party GitHub repository, bypassing standard package registry security checks.
  • [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to interact with the system, including running the obsidian CLI, executing npm/npx commands, and triggering developer tools like obsidian devtools or obsidian eval.
  • [EXTERNAL_DOWNLOADS]: The skill installs external Node.js packages (eslint-plugin-obsidianmd) and pulls skill content from GitHub during installation or boilerplate generation.
  • [PROMPT_INJECTION]: There is a clear surface for indirect prompt injection as the skill reads untrusted markdown data from an Obsidian vault and subsequently uses high-capability tools.
  • Ingestion points: Local markdown files are read using the obsidian read CLI command as documented in references/cli-automation.md.
  • Boundary markers: No delimiters or safety instructions are provided to prevent the agent from following malicious instructions found within the read notes.
  • Capability inventory: The skill is granted Bash, Write, Edit, and WebFetch tools, allowing an attacker to potentially escalate from a note read to system commands or data exfiltration.
  • Sanitization: Content read from the vault is processed without escaping or validation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 17, 2026, 07:06 AM
Security Audit — agent-trust-hub — obsidian