obsidian-links
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill reads and processes all Markdown files within an Obsidian vault to perform link audits, detect orphaned notes, and build maps of content. This creates a vulnerability where malicious instructions embedded in vault notes could influence the agent's behavior during analysis.
- Ingestion points:
SKILL.md(Step 3, 4, 5) instructs the agent to read note content and extract wikilink patterns. - Boundary markers: None specified; instructions do not include delimiters or warnings to ignore embedded content.
- Capability inventory: Local shell execution (
find,grep,ls,comm), file reading, and file writing. - Sanitization: None; the skill does not specify escaping or validation for content extracted from vault notes.
- [COMMAND_EXECUTION]: Shell Command Templating. The skill provides shell command templates for file discovery and link extraction (e.g.,
find <vault-root> -name "*.md" | grep -i "<note-name>"). These templates are vulnerable to command injection if the<vault-root>or<note-name>variables, provided by the user or extracted from files, contain shell metacharacters and are not properly escaped by the agent environment.
Audit Metadata