obsidian-plugin-dev
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references an external upstream repository (
https://github.com/gapmiss/obsidian-plugin-skill) for maintenance tracking and documentation sources.- [COMMAND_EXECUTION]: The skill includes a Node.js script (tools/create-plugin.js) that performs local file system operations, such as creating directories and writing boilerplate files, which is necessary for its primary purpose as a project generator.- [PROMPT_INJECTION]: The project generator script represents an indirect prompt injection surface. - Ingestion points: User input collected via CLI prompts for plugin name, ID, and description in
tools/create-plugin.js. - Boundary markers: None present in the generated boilerplate code.
- Capability inventory: File system write operations (
fs.writeFileSync) intools/create-plugin.js. - Sanitization: The script performs structural validation for store compliance but lacks security-focused escaping for user-provided strings.- [SAFE]: The documentation actively promotes secure coding practices for the Obsidian ecosystem, including instructions to avoid
innerHTMLto prevent XSS and recommendations for using Obsidian's safe network and DOM APIs.
Audit Metadata