obsidian
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to read and process untrusted data from Markdown notes stored in local vaults.
- Ingestion points: Untrusted data enters the agent context through
obsidian-cli search-contentand by reading*.mdfiles directly. - Boundary markers: The instructions lack explicit delimiters or warnings to ignore malicious commands that might be embedded within the notes being read.
- Capability inventory: The agent is granted capabilities to create, move, and delete files via
obsidian-cliand direct filesystem access. - Sanitization: No sanitization, escaping, or validation logic is defined for the content retrieved from the notes.
- [COMMAND_EXECUTION]: The skill utilizes the
obsidian-clicommand-line tool to perform vault operations such as searching, renaming, and deleting notes. - [EXTERNAL_DOWNLOADS]: The skill's metadata includes instructions to install the
obsidian-clidependency from a Homebrew tap (yakitrak/yakitrak/obsidian-cli). - [DATA_EXFILTRATION]: The skill accesses the Obsidian application configuration file at
~/Library/Application Support/obsidian/obsidian.jsonto identify active vault paths. This involves reading application-specific metadata from a standard configuration directory.
Audit Metadata