ClawHub

Obsidian Official CLI

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Obsidian CLI skill, but it gives an AI assistant broad power to read, change, delete, publish, customize, and run code in a vault without clear safety guardrails.

Install only if you want an assistant to operate your Obsidian vault. Use explicit rules requiring confirmation before delete, restore, publish, plugin install or enable, theme/workspace changes, bulk edits, and any eval or developer command. Keep backups or version history enabled, limit use to trusted vaults, and verify the optional Homebrew/GitHub source before installing outside ClawHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The README explicitly exposes an `obsidian eval code=...` capability that can execute arbitrary JavaScript inside the running Obsidian context. In an agent skill whose purpose is note/task/search automation, documenting and encouraging arbitrary code execution materially expands the attack surface beyond normal note management and could enable vault manipulation, data exfiltration, or abuse of Obsidian's plugin/app APIs if an agent is induced to use it.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises that AI assistants can automatically read, write, and organize the user's Obsidian vault, including databases, plugins, and workspace state, without prominent warnings about destructive changes or trust boundaries. This can lead users or downstream agent frameworks to grant broad unattended modification authority over sensitive notes and configuration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples normalize plugin installation and workspace/theme changes as routine agent actions without warning that these operations alter executable extensions and user environment state. Installing plugins is especially sensitive because plugins can execute code and affect data, making this more dangerous than ordinary note edits.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quick reference includes destructive and state-changing commands such as deleting notes and modifying note content/properties, but it does not warn that these operations are irreversible or can overwrite user data. In an AI-agent context, concise command examples are likely to be copied or executed automatically, which increases the chance of unintended data loss or unauthorized modification of a user's vault.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal