obsidian-second-brain

Fail

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs users to install the tool by piping a remote script from GitHub directly into bash (curl -fsSL ... | bash).\n- [COMMAND_EXECUTION]: The scripts/install.sh script automates the registration of a post-turn hook by modifying the ~/.jeo/config.json file using jq. This file is known to contain sensitive authentication tokens.\n- [EXTERNAL_DOWNLOADS]: The installation process involves downloading external code via git clone from repositories owned by the author (akillness/obsidian-second-brain and akillness/jeo-skills).\n- [COMMAND_EXECUTION]: The installer uses npx skills add to install components, which executes code from the npm registry.\n- [COMMAND_EXECUTION]: The skill makes use of the Bash tool to perform complex vault maintenance tasks and run scheduled agents.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/akillness/obsidian-second-brain/main/scripts/quick-install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 29, 2026, 05:45 AM
Security Audit — agent-trust-hub — obsidian-second-brain