The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates user-supplied arguments and content-derived strings directly into shell commands without sanitization. This occurs in the init and remove operations (using the <name> argument), the query operation (using the <question> argument), and the compile operation (using extracted article titles in a grep command). This pattern is highly susceptible to shell command injection if the inputs contain shell metacharacters.
[REMOTE_CODE_EXECUTION]: The lint operation executes an external Python script (scripts/lint-wiki.py) located in the plugin root. This script is not provided within the skill's source files, creating a dependency on an external or environment-provided executable.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8).
Ingestion points: Data enters via the ingest <path|url> command which reads from external URLs or local files.
Boundary markers: No explicit boundary markers or directives are used to separate ingested content from the agent's instructions during processing.
Capability inventory: The agent has access to file system writes (mkdir, git, file writes in ~/ObsidianVault), shell execution (grep, qmd, marp, python3), and network access (WebFetch).
Sanitization: No evidence of sanitization for ingested content before it is processed by the LLM for summarization and entity extraction.
[DATA_EXFILTRATION]: The ingest command allows fetching content from arbitrary URLs via the WebFetch tool. This capability could be abused to probe internal network services or exfiltrate data if the agent is directed to ingest from sensitive locations.

wiki