Skills
skills/mathruffian-dot/claude-code-lazy-packs/cc-obsidian/Gen Agent Trust Hub

cc-obsidian

Warn

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the @bitbonsai/mcpvault global NPM package and the cli-anything-hub PyPI package, which are hosted on public registries but authored by unverified third parties.
  • [COMMAND_EXECUTION]: The instructions include several shell commands that modify the system environment or local configurations:
  • npm install -g @bitbonsai/mcpvault for global package installation.
  • claude mcp add obsidian -- npx @bitbonsai/mcpvault <VAULT_PATH> which adds a persistent command to the agent's MCP settings.
  • cli-hub install obsidian which performs a secondary dynamic installation of a tool from an external hub.
  • [REMOTE_CODE_EXECUTION]: The use of cli-hub install obsidian represents an indirect remote code execution vector, as it downloads and installs executable code from a third-party hub (cli-anything-hub) that is not part of standard trusted software repositories.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 14, 2026, 02:06 AM
Security Audit — agent-trust-hub — cc-obsidian