The Agent Skills Directory

[COMMAND_EXECUTION]: The helper script scripts/project_kb.py performs sensitive file system operations, including directory deletion via shutil.rmtree and file moving via shutil.move, based on a vault_root path read from registry.yaml. Since this configuration file resides within the repository and the script lacks validation to ensure the path is within an authorized directory, a malicious repository could direct the agent to delete or overwrite arbitrary system files during project lifecycle or purge operations.
[COMMAND_EXECUTION]: The script scripts/project_kb.py invokes the git utility using subprocess.check_output to track project state. While the script uses list-based arguments to mitigate shell injection, the reliance on repository-provided configuration for sensitive file operations presents a risk if the repository is untrusted.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and synthesizing repository data. Ingestion points: Local files such as README.md, docs/, and plan/ folders are read by the agent. Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore instructions embedded in ingested data. Capability inventory: The skill can perform file writes, directory moves, and deletions via the provided Python scripts. Sanitization: There is no evidence of validation or escaping of ingested content before it is used for note synthesis or state updates, which could allow malicious instructions to influence agent behavior.

obsidian-project-memory