ClawHub

Obsidian FNS

Security checks across malware telemetry and agentic risk

Overview

This Obsidian note-sync skill appears purpose-built, but it gives agents persistent remote vault mutation authority and can store secrets in plaintext local config.

Install only if you trust the Fast Note Sync endpoint and are comfortable letting the agent read and modify the configured Obsidian vault. Prefer environment variables or a secure secret store over set-config for passwords or tokens, avoid exposing login output in logs, and require explicit path/content confirmation before replace, rename, move, overwrite, or restore-history operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes powerful capabilities through shell-invoked Python scripts that can perform network access, read and write notes, and likely use environment-based credentials, but the skill metadata does not declare any permissions. This creates a transparency and governance gap: operators and policy engines cannot accurately assess or constrain what the skill can do, increasing the risk of unintended data access, remote modification, or misuse of stored tokens.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill goes beyond note read/search/write by implementing authentication and account-management behavior, including login with credentials and token handling. In an agent skill, this expands the trust boundary and enables access bootstrapping and secret processing that are not clearly disclosed by the skill’s stated purpose, increasing the chance of credential misuse or overprivileged use.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The skill can retrieve user account information and enumerate all vaults, which is broader than the declared note-centric workflow. Even if intended for convenience, these discovery endpoints expose metadata that may aid reconnaissance or reveal more about the user environment than necessary for a single note operation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation includes destructive and state-altering operations such as replace, rename, move, and history restore, which are more powerful than a simple read/search/write description suggests. Understating these capabilities can cause operators or users to grant trust without understanding that the skill can substantially modify or revert vault contents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The login flow persists the returned token and also stores the supplied credentials in a local JSON config file without warning or protection. Storing long-lived secrets in plaintext on disk materially increases exposure to local compromise, accidental backup leakage, or unintended reuse by other processes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The set-config command writes sensitive values including password and token directly to a local config file with no warning, encryption, or permission hardening. This creates a straightforward secret-at-rest risk, especially on shared systems, in backups, or where home-directory files are broadly readable.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal