obsidian-clis
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documents the
obsidian evalcommand inSKILL.md, which allows the execution of arbitrary JavaScript code within the context of the running Obsidian application. This feature can be exploited to run malicious scripts if an agent is influenced by untrusted input. - [COMMAND_EXECUTION]: The instructions empower the agent to use
obsidianandnotesmd-clibinaries for comprehensive file system operations including creating, moving, and deleting files within the user's local vault. - [DATA_EXFILTRATION]: Developer commands documented in
SKILL.md, specificallyobsidian dev:screenshotandobsidian dev:dom, provide mechanisms to capture visual state and UI content from the application, potentially exposing sensitive information. - [PROMPT_INJECTION]: The skill exposes a surface for indirect prompt injection due to its core function of reading and searching user-generated vault content.
- Ingestion points: Files
SKILL.md(viareadandsearchcommands) andnotesmd-fallback.md(viaprintandsearch-contentcommands) facilitate the ingestion of untrusted data from notes. - Boundary markers: The instructions lack explicit boundary markers or directives to ignore instructions embedded within the notes being processed.
- Capability inventory: The agent has access to arbitrary JavaScript execution (
obsidian eval), file system manipulation (create,delete), and UI data capture (dev:screenshot). - Sanitization: There are no documented procedures for sanitizing or validating note content before it is processed by the agent.
Audit Metadata