Obsync

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward command reference for an Obsidian Sync CLI, with sensitive credential and sync behavior disclosed and aligned with its purpose.

Install only if you trust the upstream obsync CLI and the machine where it will run. Avoid putting real passwords directly in reusable shell history or shared environment files, verify the vault name and local path before pull/push/watch, and make a backup before first sync or before enabling the background service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation includes examples that place sensitive material directly in environment variables and demonstrates entering account credentials without warning about shell history, process inspection, or persistence risks. On headless systems using a file-backed keyring, this can lead to credential exposure if users copy these examples verbatim.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documented pull, push, and watch operations modify local and remote vault state, but the skill does not warn that sync can overwrite, propagate deletions, or replicate unintended changes bidirectionally. Users may run these commands on the wrong path or vault and cause substantial data loss or corruption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal