assistant
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the
obsidianCLI tool, which provides anevalcommand (obsidian eval code="..."). This capability allows the execution of arbitrary JavaScript code within the Obsidian application, posing a risk if the input is manipulated. - [PROMPT_INJECTION]: The skill features a "Teaching Loop" and "Auto-Save Rule" that automatically append new instructions to the core configuration file (
claude.md) based on user corrections. This mechanism is vulnerable to indirect prompt injection from untrusted data sources. - Ingestion points: Web content via
defuddle, meeting transcripts (Fireflies/manual), and vault-resident project files (SKILL.md). - Boundary markers: Absent; the skill does not implement delimiters or safety instructions to distinguish between processed data and agent instructions.
- Capability inventory: File system read/write via the
obsidianCLI and direct access, arbitrary JS execution viaobsidian eval, and network fetching viadefuddle(SKILL.md, references/obsidian-cli.md). - Sanitization: No sanitization or validation logic is defined for the data extracted from external sources or for the rules generated during the "Teaching Loop."
- [EXTERNAL_DOWNLOADS]: The skill utilizes the
defuddleCLI tool to fetch and parse content from external URLs. While intended for markdown extraction, this enables the agent to interact with and ingest data from any remote domain provided in the conversation (SKILL.md).
Audit Metadata