ClawHub

Obsidian CLI

Security checks across malware telemetry and agentic risk

Overview

This is a documented Obsidian CLI reference, but it exposes powerful vault-changing, plugin-installing, publishing, and developer-code-execution commands without enough safety boundaries for agent use.

Install only if you intend to let an agent operate your Obsidian vault. Verify the obsidian binary is the official one, keep CLI enabled only where needed, and require explicit approval before delete, overwrite, restore, publish, plugin/theme install, web, eval, CDP, DOM, or console/debug actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly documents `obsidian eval code=...` and raw `obsidian dev:cdp method=...` capabilities, which enable arbitrary JavaScript execution inside the Obsidian/Electron context and low-level browser debugging commands. In an agent setting, exposing these primitives materially expands scope beyond note automation into code execution, DOM inspection, console/error capture, and potentially access to sensitive vault/UI/session data, making prompt-induced misuse or unsafe delegation much more dangerous.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The triggers include broad, common terms such as `obsidian`, `vault`, and `daily note`, which are likely to appear in benign conversation and can cause unintended activation. Because this skill includes destructive, privacy-impacting, and developer-level commands, accidental invocation increases the chance that an agent routes user requests into a high-privilege tool context without sufficient intent verification.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill catalogs many destructive and privacy-sensitive operations—permanent deletion, overwrite, history/sync restore, plugin/theme installation, publish actions, web access, workspace inspection, console/error capture, DOM inspection, and developer tooling—without consistent warnings, consent boundaries, or risk classification. In a normal CLI manual this may be acceptable, but in an agent skill this omission is dangerous because the agent may treat all commands as equally safe and perform irreversible or sensitive actions without explicit user acknowledgement.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal