obsidian-cli
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill operates entirely through a local
obsidianCLI tool, executing various subcommands to read, write, move, and delete files within the user's note vaults. It also provides commands to execute Obsidian internal commands viaobsidian command id=.... - [EXTERNAL_DOWNLOADS]: The skill includes functionality to manage Obsidian community plugins (
obsidian plugin:install,obsidian plugin:enable). This involves downloading third-party JavaScript code from the Obsidian community registry and executing it within the Obsidian application environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from vault notes via commands like
obsidian read,obsidian search:context, andobsidian template:read. It lacks explicit boundary markers or sanitization logic to prevent the agent from accidentally executing instructions embedded within the note content. The risk is mitigated by the included instruction to 'Confirm with the user before executing write/delete commands'. - [DATA_EXPOSURE]: The skill documentation provides examples for searching sensitive information within the vault, such as
obsidian search:context query="API key", highlighting its capability to access and expose potentially sensitive credentials stored in notes.
Audit Metadata