obsidian-vault-add
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses user-supplied input (the
<title>argument) directly in shell commands such asobsidian read file="<title>"andobsidian create path="<path>". This creates a risk of command injection if the input contains shell metacharacters like semicolons, pipes, or backticks. - [REMOTE_CODE_EXECUTION]: The skill generates Python code at runtime by inserting user input and web-fetched metadata into script templates (e.g.,
query = "<title>"). Since these strings are then executed viaBash(python3*), an attacker could potentially execute arbitrary Python code by providing a title that escapes the string literal and includes malicious commands. - [EXTERNAL_DOWNLOADS]: Fetches metadata and images from several external services, including Wikipedia, the Apple iTunes API, TVMaze, and OpenLibrary. While these are well-known services, the downloaded content is used to populate vault notes and script variables without integrity checks.
- [PROMPT_INJECTION]: The skill demonstrates a surface for indirect prompt injection by ingesting untrusted data from web search results and public APIs and interpolating it into the vault context.
- Ingestion points: Metadata and descriptions are fetched from the Wikipedia REST API, iTunes Search API, TVMaze API, and OpenLibrary API.
- Boundary markers: Absent. The skill does not use delimiters or instructions to ignore potential commands embedded within the fetched metadata.
- Capability inventory: The agent has broad capabilities including file modification (
Edit,Write), shell command execution (Bash), and Python execution (python3). - Sanitization: Absent. There is no evidence of escaping or validating external content before it is added to notes or executed in scripts.
Audit Metadata