obsidian-cli
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes an
obsidian evalcommand which allows the execution of arbitrary JavaScript code directly within the context of the Obsidian application (e.g.,obsidian eval code="app.vault.getFiles().length"). This can be exploited to execute malicious scripts if the input is not strictly controlled. - [DATA_EXFILTRATION]: The skill grants access to sensitive data and surveillance capabilities, such as reading vault notes (
obsidian read), capturing screenshots of the workspace (obsidian dev:screenshot), and inspecting the DOM or console logs (obsidian dev:dom,obsidian dev:console). Combined with network access (if the agent has it), this could lead to data exfiltration. - [COMMAND_EXECUTION]: The skill enables extensive control over the local file system and application state through the
obsidianCLI, allowing the agent to create, modify, and delete content or properties within the user's vaults. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it reads untrusted data from vault notes while possessing high-privilege capabilities like code execution.
- Ingestion points: Notes read via
obsidian read,obsidian search, orobsidian daily:read(found in SKILL.md). - Boundary markers: None. There are no instructions for the agent to ignore or delimit instructions found within notes.
- Capability inventory: Arbitrary JS execution (
eval), file modification, screenshot capture, and DOM inspection. - Sanitization: None provided; the skill directly passes content to and from the CLI.
Audit Metadata