work-log
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell subprocesses to interact with the local filesystem via the Obsidian CLI binary located at
/Applications/Obsidian.app/Contents/MacOS/obsidian. This includes reading, writing, and modifying files within a local vault. - [REMOTE_CODE_EXECUTION]: The documentation provided to the agent in
references/obsidian-cli.mdexplicitly describes anevalcommand that allows the execution of arbitrary JavaScript code (obsidian eval code=<javascript>) within the application context. This represents a significant capability for dynamic code execution. - [REMOTE_CODE_EXECUTION]: The skill includes documentation for commands that can modify the application's environment, such as
plugin:installandplugin:enable, which allow for the installation and execution of third-party community plugins. - [DATA_EXFILTRATION]: The skill is designed to read sensitive local data from Obsidian vaults (
obsidian daily:read). While no network exfiltration commands are present in the skill's instructions, the ability to read private local files combined with the agent's general tool access creates an exposure surface. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data by reading the contents of daily notes. There are no boundary markers or sanitization steps mentioned to prevent instructions embedded within those notes from influencing the agent's behavior, particularly given the high-privilege commands (like
evalordelete) documented in the CLI reference.
Audit Metadata