obsidian-devtools
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The tool 'obsidian_eval' allows for the execution of arbitrary JavaScript within the Obsidian application context. This provides deep access to the Obsidian API and potentially the underlying Node.js environment. The implementation relies on a missing file 'sdk.py' for the core evaluation logic (ObsidianClient.eval), preventing verification of the execution mechanism and any internal safety checks.
- [COMMAND_EXECUTION]: The skill uses 'subprocess.Popen' in 'launcher.py' to start the Obsidian application with remote debugging flags enabled ('--remote-debugging-port'). Multiple modules (actions.py, native.py, uri.py, importer.py) use 'subprocess.run' to execute the macOS 'open' command with potentially user-controlled URI strings, which could be abused to interact with other system applications.
- [DATA_EXFILTRATION]: The skill can read any file within the Obsidian vault and access sensitive metadata. Combined with the RCE capability, this data could be exfiltrated to external endpoints via standard browser APIs (e.g., fetch, XMLHttpRequest) without user knowledge.
- [PROMPT_INJECTION]: The 'SecurityGuard' in 'security.py' attempts to sanitize input using regular expressions to block dangerous patterns like 'fs.write' and 'child_process'. However, these protections are easily bypassed using JavaScript's dynamic property access (e.g., app['vault']['delete']) or string concatenation, which an LLM could be prompted to generate.
Recommendations
- AI detected serious security threats
Audit Metadata