Obsidian Vault Integration

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill is mostly a normal Obsidian vault helper, but its file paths are not confined to the vault, so it should be reviewed before use.

Only install this if you are comfortable letting agents read and update the chosen Obsidian vault. Use a dedicated vault or tightly scoped folder, keep backups, and patch or configure the scripts so file arguments cannot include absolute paths or ../ traversal before relying on it for sensitive notes.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or adversarial file name could cause the agent to alter or corrupt local files outside the Obsidian vault.

Why it was flagged

The user- or agent-supplied --file value is joined to the vault path and then written without resolving and verifying that it is still inside the vault. A value containing traversal such as ../ could target writable files outside the vault.

Skill content

filepath = vault / filename
if filepath.exists():
    return filepath
...
write_file_with_lock(filepath, new_content, mtime)

Recommendation

Resolve both the vault path and target path, reject absolute paths and .. traversal, require the resolved target to be under the vault, and ask for confirmation before writes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A crafted file argument could cause the agent to read local markdown or text files outside the intended vault boundary.

Why it was flagged

The read helper also accepts a requested filename without validating that the resolved path remains under the vault directory.

Skill content

filepath = vault / filename
...
with open(filepath, 'r', encoding='utf-8') as f:

Recommendation

Apply the same vault-boundary checks to reads, and limit reads to approved vault files or extensions.

Low

#ASI06: Memory and Context Poisoning

What this means

Incorrect or malicious edits to shared notes could influence later agent work or expose private vault content to agents using the skill.

Why it was flagged

The vault is used as persistent shared context, and the default mode allows all agents to read and write all vault content.

Skill content

Solo mode (default): all agents can read/write everything

Team mode (v2, not yet implemented)

Recommendation

Use a dedicated vault or folder for agent-shared notes, keep backups, and add folder-level permissions or review steps for sensitive files.