Obsidian Semantic Search
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real local Obsidian search integration, but it gives an AI/MCP server broad read, write, overwrite, and persistent indexing access to your private vault using code that is not included for review.
Install only if you are comfortable giving a local MCP server and connected assistant broad access to your Obsidian vault. Review the upstream code and install script first, pin a trusted version, back up your vault, restrict the vault path to non-sensitive notes if possible, and require explicit confirmation before any write or overwrite operation.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or manipulated assistant action could change or overwrite notes in the user's Obsidian vault.
The skill exposes file-creation, append, and full-overwrite operations to the assistant, but the artifact does not document confirmation gates, backups, path allowlists, or a read-only default.
`append_content` | Append text to a file (creates if missing) ... `write_file` | Overwrite a file completely
Use a backed-up vault, prefer read-only/search-only operation if available, and require explicit user confirmation before append, create, overwrite, or reindex actions.
Private notes may become persistently searchable and reusable by future assistant interactions; malicious or misleading notes could also be retrieved as context.
The skill can persistently index one or more private vaults into a vector database and automatically refresh that index, without clearly documenting exclusions, retention, approval, or how retrieved content should be trusted.
`OBSIDIAN_VAULTS` | No | — | Comma-separated paths for multi-vault ... PostgreSQL 17 + pgvector: Stores 768-dim vector embeddings ... Watchdog file watcher: Auto-re-indexes when vault files change
Limit the vault paths, exclude sensitive folders, understand where the database is stored, periodically clean/remove indexes, and treat retrieved note text as untrusted user content.
Any assistant configured to use this MCP server may be able to read or modify vault content according to the exposed tool set.
The MCP bridge gives assistants access to vault search, reads, and writes, but the artifact does not describe identity checks, permission separation, or data-boundary controls between assistants and the vault.
exposes 10 tools to any MCP-compatible AI assistant
Only connect trusted assistants, review the MCP server configuration, and separate read-only and write-capable access where possible.
The code actually installed may differ from what was reviewed here and could change if the upstream main branch changes.
The install path executes an unpinned remote script from the repository's main branch; this is user-directed and related to setup, but the executable installer and server code are not included in the reviewed artifact set.
bash <(curl -fsSL https://raw.githubusercontent.com/celstnblacc/obsidian-semantic-mcp/main/install.sh) --mode 2 --vault /path/to/your/vault
Inspect the repository and install script before running it, pin to a trusted commit or release, and avoid curl-to-bash installation if you cannot review the code.
The service may keep running, watching, and indexing your vault until stopped or removed.
The skill runs ongoing local services and a watcher that continues indexing vault changes after setup. This is disclosed and purpose-aligned, but it is persistent background behavior.
Monitoring Dashboard (port 8484) ... Watchdog file watcher: Auto-re-indexes when vault files change (0.5s debounce)
Check service status regularly, restrict dashboard exposure, and use the documented `osm remove` cleanup command when you no longer need it.
Users may overestimate the privacy of all setup modes if they choose a remote embedding server.
The local/no-cloud claim is broadly reassuring, but the setup options include a remote Ollama mode, which may process vault-derived text on another machine if selected.
Fully local — no API keys, no cloud ... Mode 4: Docker + remote Ollama (SSH tunnel to a GPU server)
Use the fully local Docker/native mode for private vaults, and treat remote Ollama mode as sharing note-derived content with the remote machine.