obsidian-literature-workflow
Warn
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: Both
scripts/build_literature_canvas.pyandscripts/build_literature_graph.pymodify the Python module search path at runtime to load a dependency. - Evidence: The scripts use
sys.path.insert(0, ...)to target a sibling directory (obsidian-project-kb-core/scripts) based on a relative path calculation. - Concern: This pattern involves executing code from computed paths outside the skill's own directory, which is a security risk if the filesystem structure is manipulated.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from user-controllable Obsidian notes to generate aggregated project maps, exposing a vulnerability surface.
- Ingestion points: Markdown files in
Sources/Papers/andKnowledge/are read for frontmatter and body content. - Boundary markers: No boundary markers or instructions are used to separate user data from the processing logic or to warn the agent about potential instructions within the data.
- Capability inventory: The skill possesses the capability to read from and write to any file within the project vault.
- Sanitization: While JSON output is structured, the
build_literature_graph.pyscript performs direct string interpolation into Markdown and Mermaid templates using f-strings without escaping special characters or validating the content.
Audit Metadata