Back to skill

Security audit

Multimedia To Obsidian

Security checks across malware telemetry and agentic risk

Overview

This skill is a user-run Obsidian import tool that uses external vision-model APIs as advertised, but users should treat document uploads and generated vault writes as privacy-sensitive.

Install only if you are comfortable sending the selected documents' extracted pages or images to MiniMax, OpenAI, or Anthropic using your API key. Use a narrow source directory, avoid confidential or regulated files unless external provider use is approved, use simple category names without slashes or traversal, and review generated Markdown before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 清理临时目录
    if os.path.exists(temp_dir):
        subprocess.run(["rm", "-rf", temp_dir], capture_output=True)
    
    print(f"  -> 已保存: {output_md}")
    return len(images)
Confidence
81% confidence
Finding
subprocess.run(["rm", "-rf", temp_dir], capture_output=True)

Tainted flow: 'headers' from os.environ.get (line 101, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"max_tokens": 1000
    }
    
    resp = requests.post("https://api.openai.com/v1/chat/completions", headers=headers, json=payload, timeout=60)
    data = resp.json()
    
    if "choices" in data and data["choices"]:
Confidence
98% confidence
Finding
resp = requests.post("https://api.openai.com/v1/chat/completions", headers=headers, json=payload, timeout=60)

Tainted flow: 'headers' from os.environ.get (line 101, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
]}]
    }
    
    resp = requests.post("https://api.anthropic.com/v1/messages", headers=headers, json=payload, timeout=60)
    data = resp.json()
    
    if "content" in data:
Confidence
98% confidence
Finding
resp = requests.post("https://api.anthropic.com/v1/messages", headers=headers, json=payload, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes capabilities that read local files, write into an Obsidian vault, access environment variables for API keys, invoke shell-installed tools, and send content over the network, but it does not declare permissions or boundaries for those actions. That creates a real trust and review gap: users and policy systems cannot easily understand that sensitive local documents may be processed and transmitted externally.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill description emphasizes importing content into Obsidian, but the implementation also uploads image contents to third-party model APIs. That mismatch in declared versus actual capability is security-relevant because it can cause users to expose confidential document content without understanding that external transmission occurs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that it uses multimodal models to understand document and image content, but it does not clearly warn that the contents of user files will be sent to external model providers such as MiniMax, OpenAI, or Anthropic. This is dangerous because users may upload confidential presentations, PDFs, or images without realizing the data leaves the local environment and becomes subject to third-party processing and retention policies.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill writes generated Markdown files into the target Obsidian vault, but the documentation does not present this as a side effect requiring user awareness. While expected for the skill's purpose, silent write behavior can still cause unwanted modification, clutter, overwrite risk, or ingestion of AI-generated content into an existing knowledge base.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends image contents to external AI providers without a prominent warning, consent step, or clear notice in the skill behavior. For a tool ingesting arbitrary multimedia documents into a knowledge base, this can expose proprietary, personal, or regulated information unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.