hermes-kanban-obsidian-integration

SUSPICIOUS: the core behavior matches the stated Obsidian Kanban purpose, but the trust chain is weak. The skill asks users to install and run code from a personal GitHub repo that does not clearly match the claimed publisher, disable Obsidian Safe Mode, and optionally expose a writable REST API on the network with silent trust mode. No clear credential harvesting or malicious exfiltration is shown, so this is not confirmed malware, but the install provenance and remote-control surface make it higher-risk than a normal local productivity skill.