obsidian-mcp-apps

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly requires connecting to external MCP servers and localhost-backed runtimes and rendering their UIs (see SKILL.md and references like the Connection manager/app registry and ExcalidrawRuntimeView which creates an iframe from the configured runtime.url and RuntimeService which requestUrl()s the runtime), meaning untrusted third-party app content (ui:// resources or arbitrary server-provided UIs) is fetched and interpreted as part of elicitation and vault-action workflows and could therefore influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The plugin runtime probes and embeds the configured localhost runtime (default http://127.0.0.1:19274, e.g. GET http://127.0.0.1:19274/health and an iframe src=http://127.0.0.1:19274) at runtime—loading and executing remote app code in the iframe—and the skill explicitly depends on that runtime as a required dependency.