obsidian
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on an external CLI tool named
obsidianand uses the macOSopencommand to launch applications and manage the environment. - [REMOTE_CODE_EXECUTION]: The
obsidian evalcommand accepts acodeparameter that allows for the execution of arbitrary JavaScript within the context of the running Obsidian application. This provides a direct path for arbitrary code execution if the input is influenced by untrusted data. - [DATA_EXFILTRATION]: The skill exposes multiple interfaces for accessing sensitive user data, including reading note content (
obsidian read), searching the vault (obsidian search), taking application screenshots (obsidian dev:screenshot), and extracting text from the DOM (obsidian dev:dom). - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection.
- Ingestion points: The skill reads untrusted data from the user's Obsidian vault via
obsidian read,obsidian search, and app state inspection commands likeobsidian dev:consoleandobsidian dev:dom(SKILL.md). - Boundary markers: There are no markers or instructions to treat data from the vault as untrusted or to ignore embedded instructions (SKILL.md).
- Capability inventory: The skill possesses dangerous capabilities including writing/appending to files (
obsidian create,obsidian append) and executing arbitrary JavaScript (obsidian eval) (SKILL.md). - Sanitization: There is no evidence of sanitization or validation performed on data retrieved from the vault before it is used in further commands (SKILL.md).
Recommendations
- AI detected serious security threats
Audit Metadata