The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from Slack messages, GitHub activity, and meeting notes, which are then summarized and written into the vault.
[PROMPT_INJECTION]: Evidence Chain for Indirect Prompt Injection: 1. Ingestion points: External Slack activity logs, GitHub repository events (PR titles, commits), and vault meeting notes (transcripts and metadata). 2. Boundary markers: Absent. There are no instructions to use delimiters or ignore instructions embedded in the external data being processed. 3. Capability inventory: The skill utilizes file system operations (read/create/edit via 'obsidian' CLI), search capabilities ('qmd query'), and version control ('git commit'). 4. Sanitization: Absent. The instructions do not include steps to sanitize or validate external content before it is interpolated into vault notes.
[PROMPT_INJECTION]: The implementation of an '--auto' mode allows the skill to run without human-in-the-loop confirmation. This bypasses the default safety checks for content generation, entity creation, and summaries, potentially allowing malicious content from external sources to be automatically persisted in the vault.
[COMMAND_EXECUTION]: The skill executes several shell commands to interact with the Obsidian vault and version control system, including 'obsidian' (for reading and creating notes), 'qmd query' (for vault searching), and 'git commit' (for automated backups).

refine-daily-note