Back to skill

Security audit

git-backed-obsidian-cli-workflows

Security checks across malware telemetry and agentic risk

Overview

This Obsidian note workflow is mostly legitimate, but it has under-scoped write and sync behavior that could modify files outside the vault or push unintended vault contents to a Git remote.

Install only if you are comfortable with automatic Git commits and pushes from the configured Obsidian vault. Use a dedicated vault repository, verify the remote and branch, keep secrets out of the vault, avoid absolute or ../ note paths, and treat NOTES_BACKUP_SCRIPT as trusted code execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises shell, environment, and file-write capabilities but does not declare explicit permissions or constraints for them. This creates a transparency and governance gap: an agent may invoke filesystem modification and shell-based sync behavior without clear policy boundaries, making unintended note changes or repository operations more likely.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior says the skill primarily uses the official Obsidian CLI, but it also permits direct file writes and Git synchronization workflows that can commit and push changes. That mismatch is dangerous because users and calling agents may treat the skill as a constrained note tool when it can actually modify the vault directly and propagate changes to a remote repository, increasing the risk of unintended data alteration or disclosure.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script executes a backup program from the NOTES_BACKUP_SCRIPT environment variable with no allowlisting, path restriction, or integrity check. In an agent/runtime context where environment variables can be influenced, this turns a note workflow into arbitrary code execution under the agent's privileges, which is far broader than the stated skill purpose.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill claims to use the official Obsidian CLI, but core operations silently fall back to direct filesystem writes. This broadens capability from controlled CLI note actions to unrestricted local file modification behavior, creating a mismatch that can bypass policy assumptions and make downstream safety controls less effective.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Append and create accept user-controlled note paths, then join them with VAULT_ROOT without checking for absolute paths or '..' traversal. Pathlib path joining will allow writes outside the vault when given absolute or traversal-containing input, enabling arbitrary file overwrite/append on the host within the process permissions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code comments and CLI path imply note creation is conservatively limited to vault-root note names, but the fallback path writes any provided path. This inconsistency can mislead reviewers and operators into believing a narrower trust boundary exists while the implementation actually permits broader file writes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs automatic post-write backup/sync and allows fallback file writing, but it does not prominently warn that using write workflows can modify notes and trigger Git-backed propagation. In this context, that omission matters because Obsidian vaults often contain sensitive personal or operational notes, and automatic sync can spread accidental or malicious content to local history and remote repositories.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes a write surface that can append notes, create files, and perform automatic post-write sync/backup, but it does not clearly warn that these actions modify user data and may immediately propagate changes. In an agent setting, this omission can cause users or downstream systems to treat the workflow as routine querying rather than state-changing behavior, increasing the risk of unintended note modification or accidental synchronization of sensitive content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically performs `git fetch`, `pull --rebase --autostash`, and `push` against the remote repository with no interactive confirmation or explicit disclosure at execution time. In a note-management skill, this can unintentionally exfiltrate note contents or metadata to a remote, and can also import remote changes into the local vault unexpectedly, which is a real security and privacy concern even if it is likely intended as backup behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stages all changes with `git add -A` and commits them automatically, which can capture every modified, deleted, or newly created file in the vault without user review. In a Git-backed Obsidian vault, that may include sensitive notes, attachments, tokens, or accidentally placed files, making unintended persistence and later remote publication more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.