wiki-status
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses highly sensitive local data paths as part of its core functionality. It is instructed to glob and read files from
~/.claude/projects/and~/.codex/, which contain private conversation histories and session transcripts. It also accesses.envand~/.obsidian-wiki/configfiles during configuration resolution and specifically searches for pages tagged withvisibility/pii. While consistent with the skill's purpose, this access to sensitive personal data and credentials constitutes a data exposure risk. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing untrusted data from multiple sources. 1. Ingestion points: The skill reads all
.mdfiles in the vault, external document sources, and history files from Claude and Codex. 2. Boundary markers: No instructions are provided for delimiters or warnings to ignore instructions embedded within the processed content. 3. Capability inventory: The agent has permission to read sensitive system paths and write new files (_insights.md,log.md) to the vault. 4. Sanitization: No validation or sanitization of content (e.g., frontmatter, wikilinks, or comments) is specified. The skill specifically parses markers like^[ambiguous]and aGRAPH_SNAPSHOTJSON block hidden in HTML comments.
Audit Metadata