obsidian-second-brain
Fail
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs users to install the tool by piping a remote script from GitHub directly into bash (
curl -fsSL ... | bash).\n- [COMMAND_EXECUTION]: Thescripts/install.shscript automates the registration of apost-turnhook by modifying the~/.jeo/config.jsonfile usingjq. This file is known to contain sensitive authentication tokens.\n- [EXTERNAL_DOWNLOADS]: The installation process involves downloading external code viagit clonefrom repositories owned by the author (akillness/obsidian-second-brainandakillness/jeo-skills).\n- [COMMAND_EXECUTION]: The installer usesnpx skills addto install components, which executes code from the npm registry.\n- [COMMAND_EXECUTION]: The skill makes use of theBashtool to perform complex vault maintenance tasks and run scheduled agents.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/akillness/obsidian-second-brain/main/scripts/quick-install.sh - DO NOT USE without thorough review
Audit Metadata