tag-taxonomy
Fail
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill explicitly instructs the agent to read the
.envfile to retrieve configuration. Reading.envfiles is classified as a sensitive file exposure finding because these files are the standard location for storing high-value secrets such as API keys, database credentials, and access tokens. Accessing this file exposes all contained secrets to the agent's context. - [PROMPT_INJECTION]: The skill has a significant indirect prompt injection surface due to its core functionality of scanning and processing all markdown files within the Obsidian vault. \n
- Ingestion points: The skill processes frontmatter and content from every markdown file matching the glob
$VAULT_PATH/**/*.md. \n - Boundary markers: Absent. There are no instructions to the agent to distinguish between its own system instructions and instructions that may be maliciously embedded in the vault pages. \n
- Capability inventory: The agent possesses file read and write permissions across the entire vault and the ability to modify core taxonomy and logging files. \n
- Sanitization: Absent. The skill extracts and processes data from untrusted files without validation or escaping, which could allow maliciously crafted frontmatter to influence the agent's actions.
- Remediation Guidance: To mitigate these risks, the skill should avoid direct access to
.envfiles and instead rely on pre-loaded environment variables. When processing user-controlled files, the agent should be provided with clear delimiters (e.g., XML tags) and explicit instructions to ignore any AI-oriented commands found within those files. Implementing a strict YAML schema for frontmatter parsing would also reduce the risk of processing malicious inputs.
Recommendations
- AI detected serious security threats
Audit Metadata