The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes metadata and properties from Obsidian vault notes which are untrusted data sources.
Ingestion points: Note properties and frontmatter are accessed via file.properties and note.author as seen in SKILL.md.
Boundary markers: There are no explicit instructions or delimiters used to prevent the agent from treating data within note properties as instructions.
Capability inventory: The skill generates .base files which can execute logic via formulas and render UI elements.
Sanitization: Although escapeHTML() is available, its use is not required or emphasized in the recommended workflow for processing external note data.
[COMMAND_EXECUTION]: The skill provides a mechanism for dynamic UI-side code execution through its formula system and HTML rendering capability.
Evidence: The html() function documented in references/FUNCTIONS_REFERENCE.md allows raw strings to be rendered as HTML within the Obsidian interface. If note properties containing malicious scripts are passed to this function, it could lead to arbitrary script execution in the context of the Obsidian application.

obsidian-bases