obsidian-granola
Warn
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: The skill constructs and executes shell commands using dynamic content fetched from an external source.
- Evidence: In
SKILL.md, the instruction in Section 6 directs the agent to executeobsidian open file="[Meeting Title]", where[Meeting Title]is derived from meeting metadata retrieved via the Granola MCP. - Risk: This patterns creates a command injection vulnerability if a meeting title contains shell metacharacters (e.g., backticks, semicolons, or pipes).
- [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from meeting transcripts and summaries.
- Ingestion points: Meeting data is retrieved using
mcp_granola_get_meetingsandmcp_granola_get_meeting_transcriptinSKILL.md. - Boundary markers: The instructions do not include boundary markers or explicit directions to the agent to ignore instructions that might be embedded within the meeting content.
- Capability inventory: The skill has access to
obsidian read,obsidian open, and general shell execution/file writing capabilities (as seen inSKILL.md). - Sanitization: There is no evidence of sanitization or filtering of the transcript content before it is interpolated into the Obsidian note templates and saved to the filesystem.
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to use shell commands (
bash) to interact with the Obsidian CLI for opening files.
Audit Metadata