obsidian-markdown — agentic threat model
This agent skill focuses on formatting and structuring Obsidian-flavored Markdown files. Its primary risk lies in local file system modification and potential indirect prompt injection if the host agent processes untrusted inputs into the vault.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the skill is model-agnostic and acts as an instruction set. It is vulnerable to indirect prompt injection if the underlying model processes untrusted inputs before writing markdown.
The skill operates directly on Obsidian vault data (.md files, wikilinks, embeds). Risks include data corruption, unauthorized file modification, or directory traversal if the agent interprets pathing in wikilinks unsafely.
Not certain from the listing — the orchestration framework hosting this skill is undefined. However, insecure tool integration could allow the agent to overwrite critical system files instead of just vault files.
Not certain from the listing — the deployment environment is likely a local desktop running Obsidian, meaning host compromise or local file system exposure is the primary infrastructure threat.
Not certain from the listing — there are no built-in guardrails or logging mechanisms mentioned to monitor what markdown content or file paths the agent is generating.
Not certain from the listing — no authentication, authorization, or compliance controls are defined. Access control relies entirely on the host operating system and Obsidian application permissions.
Not certain from the listing — no multi-agent interactions are described, though the generated markdown could potentially be consumed by other automated agents parsing the same vault.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).