obsidian-cli
Fail
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interacts with the local system and the Obsidian application by invoking the
obsidiancommand-line utility for note management and application control. - [REMOTE_CODE_EXECUTION]: The
obsidian evalcommand enables the execution of arbitrary JavaScript code directly within the Obsidian application's environment. This provides a powerful mechanism for runtime code execution that could be exploited to perform unauthorized actions on the user's behalf. - [DATA_EXFILTRATION]: The skill includes capabilities to read the full content of notes (
obsidian read), search through the entire vault (obsidian search), and extract text content from the application's DOM (obsidian dev:dom). This allows an agent to access and potentially exfiltrate sensitive personal data stored within the user's private notes. - [EXTERNAL_DOWNLOADS]: The skill references external documentation from the official Obsidian organization repository on GitHub (
raw.githubusercontent.com/obsidianmd/obsidian-help). - [PROMPT_INJECTION]: Because the skill is designed to ingest and process untrusted data from the user's vault (via read and search operations), it is vulnerable to indirect prompt injection. Maliciously crafted notes could contain instructions that attempt to hijack the agent's logic or bypass its safety constraints when the note's content is processed.
Recommendations
- AI detected serious security threats
Audit Metadata