obsidian-cli
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation describes the use of an external command-line tool,
obsidian, to perform all vault operations. The agent is instructed to execute various subcommands through this CLI. - [REMOTE_CODE_EXECUTION]: The
obsidian evalcommand allows for the execution of arbitrary JavaScript code within the runtime environment of the Obsidian application. This provides a mechanism for running unvetted code that can access internal app APIs and data. - [DATA_EXFILTRATION]: The skill provides several commands that expose sensitive user information, including
obsidian read(file content),obsidian search(search results),obsidian dev:screenshot(visual workspace data), andobsidian dev:console(application logs). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from the user's vault that could influence agent behavior.
- Ingestion points: Note content retrieved via
obsidian readandobsidian searchresults. - Boundary markers: The instructions do not define delimiters or specific safety markers for distinguishing file content from agent instructions.
- Capability inventory: The skill has access to file system operations, arbitrary JavaScript execution via
eval, and UI inspection/capture tools. - Sanitization: There is no mention of sanitizing or escaping the data read from the vault before it is interpreted by the agent.
Audit Metadata