ClawHub
Back to skill

Security audit

Obsidian Semantic Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Obsidian search integration, but it asks users to run unpinned remote installers and gives assistants broad read/write access to private vault content.

Install only if you are comfortable letting an MCP server and connected assistant search, read, append to, and overwrite files in the selected Obsidian vault. Review and pin the upstream installer before running it, avoid force-installing solely because the skill says to, back up your vault, restrict vault paths to notes you are willing to expose, and use fully local mode unless you trust the remote Ollama host.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The metadata markets the skill as 'Fully local — no API keys, no cloud, zero cost,' but later documents a remote Ollama mode over SSH to a GPU server. This is a material security-relevant inconsistency because users may assume data never leaves the local machine when the documented architecture can support remote processing, changing the trust boundary for vault contents and embeddings.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The troubleshooting section says the skill 'contains no executable code beyond documentation' and encourages forcing installation after a security warning, even though the document itself instructs users to run shell installers, clone a repo, execute tooling, start containers, and register an MCP server. That kind of minimization can cause users to override security prompts and run code they have not reviewed, increasing the risk of unsafe installation behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill exposes file-modifying tools such as 'append_content' and 'write_file' but does not clearly warn that they can create new files or fully overwrite existing vault content. In a note-taking vault containing valuable personal or work data, this omission can lead to accidental destructive actions by users or downstream agents operating with insufficient caution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The one-liner install tells users to execute a remote shell script fetched via curl directly into bash, without any safety warning, version pinning, checksum verification, or review step. This is dangerous because compromise of the upstream source, transport, or referenced branch could result in arbitrary code execution on the user's machine during installation.

External Script Fetching

Low
Category
Supply Chain
Content
### Prerequisites

- **Docker Desktop** (running)
- **uv** (Python package manager): `curl -LsSf https://astral.sh/uv/install.sh | sh`
- **An Obsidian vault** on your local filesystem

### One-Liner Install
Confidence
93% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.