obsidian-plugin-templater
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The documentation describes features that enable the ingestion of untrusted data (via
tp.system.promptandtp.obsidian.request) and its interpolation into templates, creating a surface for indirect prompt injection. - Ingestion points: Untrusted data enters the context through
tp.system.prompt(),tp.system.suggester(), and network responses fromtp.obsidian.request()as documented inSKILL.md. - Boundary markers: The documentation does not specify the use of delimiters or specific instructions to the agent to ignore embedded commands within processed data.
- Capability inventory: The skill documents powerful capabilities including system command execution (
tp.system.executeCommandWithOutput()), file creation (tp.file.create_new()), and HTTP networking (tp.obsidian.request()) inSKILL.md. - Sanitization: The documentation provides a dedicated 'Security Warning' section advising users to review code, trust only known templates, and notes that system commands are restricted in modern sandbox environments.
- [COMMAND_EXECUTION]: The skill provides instructions for using
tp.system.executeCommandWithOutput()to run arbitrary shell commands. Although it contains warnings about plugin-level restrictions and sandbox limitations, this functionality allows an agent to interact with the host system's command line. - [DATA_EXFILTRATION]: Documentation outlines the use of
tp.obsidian.request()andtp.obsidian.requestUrl()for network operations. While these are legitimate plugin features, they could be misused to transmit vault data or local file contents to external servers. - [NO_CODE]: The skill consists exclusively of documentation and markdown instructions; it does not contain or execute any standalone scripts or binary files.
Audit Metadata