obsidian-second-brain

Warn

Audited by Socket on Jun 29, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
SKILL.md

SUSPICIOUS: the skill’s core capabilities fit its stated Obsidian/research purpose, and the cited install sources appear same-project and documented. However, it combines transitive skill installation, remote installer patterns, autonomous scheduled writes, and ingestion of untrusted web/social content with write/exec permissions, making it a medium-to-high security risk despite low evidence of deliberate malware.

Confidence: 88%Severity: 62%
AnomalyLOW
scripts/install.sh

No direct evidence of intentional malware is visible in this installer script alone (no hardcoded secrets, no exfiltration logic, no obfuscation, no overt backdoor). The dominant risk is high-impact supply-chain/persistence behavior: it downloads and executes code from remote GitHub repos (via npx/git), runs an upstream setup.sh, and registers a persistent jeo post-turn hook that later executes an adapter script from local filesystem paths. If upstream repos or local adapter files are compromised/tampered with, this script would enable execution with user privileges and persistence in jeo.

Confidence: 64%Severity: 58%
Audit Metadata
Analyzed At
Jun 29, 2026, 05:45 AM
Package URL
pkg:socket/skills-sh/akillness%2Foh-my-skills%2Fobsidian-second-brain%2F@2705d4261ee268121f98020d9697dfb770ecb0a34a8137147d1695ec3450808d
Security Audit — socket — obsidian-second-brain