Obsidian Vault Writer

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed Obsidian note-writing helper that uses a declared CLI and includes reasonable safeguards for vault selection and overwrites.

Before installing, confirm that you trust the third-party notesmd-cli package and that the selected vault path is the one you want the agent to modify. Use explicit prompts for overwrite, move, or delete operations, and avoid storing sync tokens or credentials in notes or chat context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The README explicitly promotes creating and appending notes in an Obsidian vault but does not warn that the skill performs file modifications. In an agent setting, missing disclosure about write behavior can lead to unintended persistence, overwriting, or silent alteration of user notes, especially on remote or headless systems where changes are less visible.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal