Security audit

Sync Obsidian to Lexiang

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it gains access by reading existing local Lexiang connector OAuth tokens and can upload broad Obsidian vault content to a remote knowledge base.

Install only if you are comfortable letting this skill read your Obsidian vault, reuse an existing local Lexiang connector OAuth token, and upload selected notes and attachments to Tencent Lexiang. Use dry-run first, specify a narrow vault/source directory and target folder, and avoid installing it on machines where connector tokens or vaults belong to a different profile or trust boundary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares broad capabilities in practice—environment access, local file read/write, shell execution, and network access—without an explicit permissions declaration or consent framing. That mismatch reduces transparency and weakens review boundaries, making it easier for a user or platform to underestimate that the skill can read local vault data, modify files, and transmit content to a remote service.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill explicitly instructs code to discover and read OAuth tokens from local connector token files and from an environment variable override, which is credential access behavior. Even if intended to reuse an existing connector session, directly harvesting bearer-equivalent tokens from disk expands the blast radius: any compromise or misuse of the script can exfiltrate those tokens and act as the user against Tencent Lexiang.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The module is explicitly designed to reuse OAuth credentials issued to other local agent connectors and call the Lexiang MCP endpoint directly, bypassing a normal per-skill authorization flow. This lets the skill act with a user's existing connector privileges without clear consent boundaries, which is a credential misuse pattern rather than ordinary API integration.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The token discovery paths enumerate multiple local agent application directories and search for connector token files, which is a form of local credential harvesting. Even if intended for convenience, it accesses sensitive auth material outside the skill's own trust boundary and enables unauthorized reuse of bearer tokens.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: Allowing an environment variable to override authentication lets execution context inject any bearer token, including one unrelated to the documented sync workflow. This weakens provenance and can cause the skill to operate under unintended identities or elevated credentials if the runtime environment is compromised or shared.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The test file embeds a real local Obsidian vault path and fixed target knowledge-base identifiers, which can expose sensitive environment details and may cause tests to operate on real user data if run in a matching environment. In this skill context, that is more dangerous because the project is a sync tool that can touch external knowledge-base content, so accidental execution can leak, enumerate, or modify real notes.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The module docstring says E2E tests require manual triggering, but the real-vault tests are ordinary unittest methods that will run automatically whenever the hard-coded vault path exists. For a synchronization skill, this mismatch can lead to unintended access to real local data and potentially trigger planning or downstream sync behavior against a real knowledge base during routine test execution.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation examples are broad enough that an agent could invoke this skill based on a casual request about syncing notes, without first making the sensitive behavior explicit. Because the skill can read a local OAuth token and exfiltrate vault contents and attachments to a remote service, ambiguous triggering materially increases the chance of unintended data transfer.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README emphasizes 'zero configuration' and 'zero token' but does not prominently warn that the script reads a locally stored OAuth token from the agent's connector directory and uploads vault documents, images, and attachments to a remote MCP endpoint. This can mislead users about the trust boundary and cause them to authorize synchronization of sensitive local knowledge without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes a 'zero token' sync flow but does not prominently warn users that it will scan their Obsidian vault, write persistent state files into the vault, and upload documents and attachments to a remote Tencent Lexiang knowledge base. In a data-sync skill, insufficient disclosure is dangerous because users may trigger it without appreciating the local persistence and remote data transfer involved, leading to unintended leakage of sensitive notes or files.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code reads authentication tokens from environment/files and sends them in the X-Oneid-Access-Token header to a remote service without any visible consent prompt, disclosure, or audit control in this module. Silent transmission of bearer credentials is dangerous because compromise of the endpoint, misuse of the API, or user misunderstanding can expose access under the user's identity.

Ssd 3

High

Confidence: 99% confidence
Finding: The header comment states the core design is to reuse built-in connector OAuth credentials so the script can operate 'zero config' and without separate authorization. That is an explicit attempt to piggyback on unrelated trust relationships, making the skill more dangerous because the unauthorized credential reuse is intentional and central to its functionality.

Ssd 3

High

Confidence: 98% confidence
Finding: The discovery logic searches multiple connector-token locations, parses candidate JWTs, and selects the best available token for use. This operationalizes collection and exploitation of local sensitive credentials, enabling the skill to impersonate the user to the remote service without the originating application's controls.

Env Variable Harvesting

High

Category: Data Exfiltration
Content: 优先级：环境变量 > 各 profile 中最新且未过期的 token 文件。返回 (token, source_path) 或 (None, None)。 """ env_tok = os.environ.get("LEXIANG_ONEID_TOKEN", "").strip() if env_tok: return env_tok, "env:LEXIANG_ONEID_TOKEN"
Confidence: 70% confidence
Finding: os.environ.get("LEXIANG_ONEID_TOKEN

Env Variable Harvesting

High

Category: Data Exfiltration
Content: def test_discover_token_env_override(self): import os as _os old = _os.environ.get("LEXIANG_ONEID_TOKEN") _os.environ["LEXIANG_ONEID_TOKEN"] = "x" * 40 try: tok, src = discover_token() self.assertEqual(tok, "x" * 40)
Confidence: 80% confidence
Finding: os.environ["LEXIANG_ONEID_TOKEN"]

Env Variable Harvesting

High

Category: Data Exfiltration
Content: if old is None: _os.environ.pop("LEXIANG_ONEID_TOKEN", None) else: _os.environ["LEXIANG_ONEID_TOKEN"] = old class TestIsoToTs(unittest.TestCase):
Confidence: 80% confidence
Finding: os.environ["LEXIANG_ONEID_TOKEN"]

Env Variable Harvesting

High

Category: Data Exfiltration
Content: def test_discover_token_env_override(self): import os as _os old = _os.environ.get("LEXIANG_ONEID_TOKEN") _os.environ["LEXIANG_ONEID_TOKEN"] = "x" * 40 try: tok, src = discover_token()
Confidence: 70% confidence
Finding: os.environ.get("LEXIANG_ONEID_TOKEN

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal