Security audit

Obsidian Sync Syncthing

Security checks across malware telemetry and agentic risk

Overview

This is mostly a normal Obsidian sync guide, but it includes an under-explained script that can copy private notes to an iCloud path despite advertising a no-iCloud setup.

Review and edit all paths before following the guide. Back up your Obsidian vault first, enable Syncthing versioning, and avoid the rsync/iCloud script unless you intentionally want a second copy of your notes in that destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The embedded script performs write operations to a destination vault path using rsync without any explicit safety warning, dry-run guidance, or backup recommendation. In a note-taking/vault context, this can lead to unintended overwrite, propagation of mistakes, or data loss if users run it against the wrong source or destination, especially because the skill presents it as a routine sync step.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal