wiki-query

Warn

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill requires the agent to read sensitive files such as ~/.obsidian-wiki/config and .env to retrieve configuration paths. These files are high-risk targets as they frequently contain private keys, access tokens, and other sensitive environment variables.\n- [DATA_EXFILTRATION]: User queries and search intent are transmitted to an external service via the mcp__qmd__query tool. This involves sending data to the 'QMD' service, which is not a recognized trusted vendor, potentially exposing the user's knowledge base structure and search patterns.\n- [COMMAND_EXECUTION]: The retrieval protocol utilizes the Grep utility to perform pattern matching across vault files. While intended for search, arbitrary execution of grep on local file systems can be a vector for unintended data exposure.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted content from the user's wiki and incorporates it into synthesized answers without sanitization or boundary markers.\n
  • Ingestion points: Page bodies and index files within the user's wiki vault are read and processed during steps 2, 3, and 4.\n
  • Boundary markers: No delimiters or instructions to ignore embedded commands are present in the synthesis step.\n
  • Capability inventory: The skill can perform file reads, execute grep, write to a log file, and make external tool calls.\n
  • Sanitization: There is no evidence of sanitization or content validation before the wiki data is processed by the agent.\n- [DATA_EXFILTRATION]: The skill maintains a persistent record of user queries and search metadata by appending them to a local log.md file.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 17, 2026, 01:30 AM
Security Audit — agent-trust-hub — wiki-query