vault-skill-factory

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local system commands and specialized CLI tools including grep, glob, qmd, and vsearch to identify and cluster related documentation within the user's vault. It additionally invokes local Python scripts (improve_description.py, package_skill.py, quick_validate.py) found in the repository's internal .skills/ directory to refine and validate the generated artifacts.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it distills content from untrusted, user-provided wiki pages into instructions for a new skill.
  • Ingestion points: Reads markdown content from the local directory defined by OBSIDIAN_VAULT_PATH (SKILL.md).
  • Boundary markers: No security-focused delimiters or escape sequences are used to isolate ingested wiki text from the instructions generated for the new SKILL.md file.
  • Capability inventory: The factory performs file system write operations to SKILL_FACTORY_OUTPUT_DIR and executes local Python-based utility scripts (SKILL.md).
  • Sanitization: The skill lacks logic to filter or sanitize instructions embedded within vault notes, though it preserves provenance markers (^[inferred]) for factual traceability.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 06:16 AM
Security Audit — agent-trust-hub — vault-skill-factory