wiki-status

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses highly sensitive local data paths as part of its core functionality. It is instructed to glob and read files from ~/.claude/projects/ and ~/.codex/, which contain private conversation histories and session transcripts. It also accesses .env and ~/.obsidian-wiki/config files during configuration resolution and specifically searches for pages tagged with visibility/pii. While consistent with the skill's purpose, this access to sensitive personal data and credentials constitutes a data exposure risk.
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing untrusted data from multiple sources. 1. Ingestion points: The skill reads all .md files in the vault, external document sources, and history files from Claude and Codex. 2. Boundary markers: No instructions are provided for delimiters or warnings to ignore instructions embedded within the processed content. 3. Capability inventory: The agent has permission to read sensitive system paths and write new files (_insights.md, log.md) to the vault. 4. Sanitization: No validation or sanitization of content (e.g., frontmatter, wikilinks, or comments) is specified. The skill specifically parses markers like ^[ambiguous] and a GRAPH_SNAPSHOT JSON block hidden in HTML comments.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 10:03 AM
Security Audit — agent-trust-hub — wiki-status