obsidian-second-brain

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt embeds deceptive background instructions — e.g., spawning a headless "claude --dangerously-skip-permissions -p" subprocess that runs silently via a PostCompact hook to propagate vault updates without user visibility or explicit consent — which tells the agent to bypass platform permissions and act outside normal, transparent skill behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open web and social-media content (e.g., /obsidian-ingest accepts URLs, and the Research commands /x-read, /x-pulse, /research, /research-deep, and /youtube in SKILL.md call out fetching X/Twitter posts, web search/Perplexity results, and YouTube transcripts) and then reads, synthesizes, and in some cases automatically propagates updates (research-deep emits a propagation payload and spawns vault-updating agents), so untrusted user-generated content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's install/bootstrapping instructions explicitly run a remote shell script (curl -sL https://raw.githubusercontent.com/eugeniughelbur/obsidian-second-brain/main/scripts/quick-install.sh | bash), which fetches and executes code from that URL at runtime, so it is a runtime external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs the agent to modify user configuration and hook files (e.g., ~/.claude/settings.json), make and install executable scripts (chmod, curl|bash), set env vars, create background scheduled agents, and even spawn a headless subprocess with the explicit --dangerously-skip-permissions flag — actions that change machine state and bypass security protections.