obsidian
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill promotes security best practices by instructing the agent to use structured file-handling tools (
read_file,write_file,patch,search_files) instead of shell-based alternatives likecat,ls, orgrep, which significantly reduces the risk of command injection. - [SAFE]: Guidance for vault path resolution includes a requirement to use absolute paths and a warning against passing unexpanded shell variables to file tools, ensuring robust and predictable file operations.
- [SAFE]: The use of the
terminaltool is strictly limited to initial path resolution and simple data appending when structured tools are not applicable, minimizing the agent's overall shell execution surface. - [PROMPT_INJECTION]: The skill has a theoretical attack surface for indirect prompt injection, as it is designed to read and process content from markdown notes that could contain embedded instructions. This is an inherent property of any note-reading skill and no adversarial exploitation is present in the skill code.
- Ingestion points: File content is ingested via
read_fileandsearch_filesas documented inSKILL.md. - Boundary markers: No specific delimiters or "ignore instructions" wrappers are defined for the ingested vault content.
- Capability inventory: The skill allows file creation (
write_file), file modification (patch), and shell execution (terminal) for specific setup tasks. - Sanitization: No explicit sanitization or validation of the content retrieved from Obsidian notes is mandated before processing.
Audit Metadata