wiki-ingest

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill implements a robust "Content Trust Boundary" in SKILL.md, which explicitly instructs the agent to treat all source documents as untrusted data and forbids the execution of any commands or behavioral overrides found within them.
  • [COMMAND_EXECUTION]: The skill uses shell utilities like sha256sum and a local qmd CLI. The instructions include specific security hardening measures, such as using the -- delimiter to prevent flag injection and double-quoting file paths to prevent command injection from maliciously named files.
  • [DATA_EXPOSURE]: The skill reads configuration from .env and ~/.obsidian-wiki/config but includes strict instructions to only read required variables and never log, echo, or reference other sensitive values.
  • [INDIRECT_PROMPT_INJECTION]: The skill is designed to process external untrusted files (PDFs, text, images). It addresses this attack surface with a mandatory evidence chain:
  • Ingestion points: Document and image reading in Step 1.
  • Boundary markers: Explicit instructions in the "Content Trust Boundary" section to ignore embedded instructions.
  • Capability inventory: Scoped shell execution (sha256sum, qmd) and file system operations within the Obsidian vault.
  • Sanitization: Filename quoting and argument isolation for CLI calls.
  • [SAFE]: The "PI_IGNORE_INSTRUCTIONS" pattern flagged by detectors is a false positive; the text in question is actually a defensive instruction teaching the model to ignore malicious prompts found in untrusted user data.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 07:37 PM
Security Audit — agent-trust-hub — wiki-ingest