obsidian-ops

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's sync and quick-sync workflows (see references/sync-procedure.md and references/quick-sync-guide.md) explicitly fetch and pull updates from public GitHub reference repos like obsidian-api and obsidian-sample-plugin and instruct the agent to read and incorporate those repo files (e.g., AGENTS.md) into its workflow, which could allow untrusted third-party content to influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs agents to perform runtime git clone/pull of external repositories (e.g., https://github.com/obsidianmd/obsidian-api and the example clone URL template https://github.com/user/my-plugin.git), and those fetched .ref/AGENTS.md and related files are read/merged into .agents content and can influence agent prompts or be followed by build commands that execute remote code, so this is a runtime external dependency that controls agent behavior.