The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes content from user-controlled Obsidian notes which could contain malicious instructions.
Ingestion points: The vault_ops.py read command enters note content into the agent context from file paths provided to the tool.
Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are documented for the ingested file content.
Capability inventory: The skill allows file creation, modification, and the execution of shell commands through the Bash tool to run the operations script.
Sanitization: No sanitization or validation mechanisms for the read content are described.
[COMMAND_EXECUTION]: The skill relies on executing a Python script (vault_ops.py) via the Bash tool to perform its operations. This script is located at a relative path outside the immediate skill directory (../../../scripts/vault_ops.py), which is a common structure in development repositories but worth noting as a dependency.
[EXTERNAL_DOWNLOADS]: The skill specifies ruamel as a pip dependency in the frontmatter, while the fallback documentation mentions ruamel.yaml. ruamel.yaml is a well-known library for YAML processing, and this discrepancy appears to be a minor configuration oversight rather than a malicious pattern.

obsidian-vault-crud