obsidian-vault-builder
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a template for a JavaScript macro (
transcribeVoice.js) that utilizeschild_process.execFileto execute a local binary (claude.exe) with arguments. This pattern allows the agent or user to spawn subprocesses with dynamically constructed prompts. - [DYNAMIC_EXECUTION]: The skill includes complete JavaScript code snippets for implementation as QuickAdd User Scripts. These scripts load internal Node.js modules like
child_process,path, andutilto perform file system operations and execute commands outside the typical AI agent sandbox. - [EXTERNAL_DOWNLOADS]: The documentation references multiple third-party Obsidian plugins and an "obsidian.com" CLI tool. Some recommended plugins (e.g.,
Claudian,ObsidiBot) are explicitly described as being unavailable in the official Obsidian store, necessitating the use of the "BRAT" plugin for direct installation from GitHub. The use of a command namedobsidian.comis particularly notable on Windows systems, where the.comextension represents an executable file format, posing a potential risk if a malicious file with that name is present in the working directory. - [DATA_EXFILTRATION]: The skill details the use of
curlto interact with the Obsidian Local REST API, involving the handling of sensitive bearer tokens ($OBSIDIAN_REST_API_KEY). While the examples target localhost, the methodology establishes a capability for network-based data movement from the vault environment. - [INDIRECT_PROMPT_INJECTION]: The skill processes arbitrary Markdown content from a user's vault to automate workflows. The
transcribeVoice.jsscript interpolates external file paths directly into prompts for secondary AI processes without boundary markers or sanitization, creating an attack surface where untrusted vault content could influence agent behavior.
Audit Metadata