vault-structure
Fail
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute local shell commands and a provided helper script (
read-vault-file.sh) to interact with the Obsidian vault. - [DATA_EXFILTRATION]: The script
scripts/read-vault-file.shis vulnerable to path traversal. It uses a user-supplied filename argument directly in a path construction without sanitization, allowing thecatcommand to read files outside the intended vault directory (e.g., by providing../../.ssh/id_rsa). - [DATA_EXFILTRATION]: The skill hardcodes an absolute local path (/Users/kriscard/obsidian-vault-kriscard) which reveals the author's local username and filesystem structure.
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection. (1) Ingestion point: Vault notes are read into the agent context via
read-vault-file.sh. (2) Boundary markers: No delimiters are used to separate untrusted note content from agent instructions. (3) Capability inventory: Includes local shell command execution and file reading. (4) Sanitization: There is no validation or escaping of the ingested note content before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata