vault-ops
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses a 'Local Override Model' that instructs the agent to read and prioritize instructions from a file named 'AGENTS.md' and its referenced files found at the root of any vault it processes. This introduces a risk of Indirect Prompt Injection where malicious content in a shared or downloaded vault could compromise agent behavior.\n
- Ingestion points: 'AGENTS.md' and referenced files at the vault root (identified in 'SKILL.md').\n
- Boundary markers: No delimiters or 'ignore embedded instructions' warnings are implemented when processing these local files.\n
- Capability inventory: The skill performs file read/write operations and executes shell commands ('rg') across all reference scripts.\n
- Sanitization: No evidence of validation or sanitization of content from these vault-local instruction files.\n- [COMMAND_EXECUTION]: The skill relies on the 'rg' (ripgrep) CLI tool for all navigation and search tasks. It provides shell command templates that include piping output to 'xargs' for multi-stage filtering.\n
- Evidence: Bash snippets in 'reference/navigating-vaults.md' such as 'rg '^type: pattern' notes/ | xargs rg -l '^methodology: Original''.\n- [DATA_EXPOSURE]: The skill accesses sensitive user configuration files outside the project directory to discover vaults, specifically searching for 'obsidian.json' in OS-specific application data directories and the user's home directory for '.vault-ops.json'.\n
- Evidence: Path lookups in 'reference/managing-vaults.md' including '
/Library/Application Support/obsidian/obsidian.json', '%APPDATA%\obsidian\obsidian.json', and '/.config/obsidian/obsidian.json'.
Audit Metadata