wiki-dedup
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its core deduplication and merging logic. Because the agent reads the full body of untrusted markdown files to determine if they cover the same concept (Step 3) and to integrate their content (Step 5b), malicious instructions hidden in a wiki page could influence the agent's behavior.
- Ingestion points: SKILL.md (Step 3 and Step 5b) requires the agent to read the full contents of all
.mdfiles identified as candidates in the Obsidian vault. - Boundary markers: No boundary markers or 'ignore' instructions are used when the agent processes the contents of these external files.
- Capability inventory: The skill allows for comprehensive file system access within the vault, including reading all files, writing redirect stubs, updating central manifest files, and performing vault-wide search-and-replace for wikilinks.
- Sanitization: There is no evidence of sanitization or filtering of the content being integrated into the canonical page or used for the semantic verdict.
- [COMMAND_EXECUTION]: The skill instructs the agent to use 'grep' and 'Edit/Write tools' to search for and modify wikilinks across the vault. While the instructions explicitly forbid destructive operations like 'rm', the use of shell-like searching over an entire directory structure presents a broad capability surface.
Audit Metadata