Back to skill

Security audit

Obsidian Vault Integration

Security checks across malware telemetry and agentic risk

Overview

This Obsidian vault skill is purpose-aligned, but its unchecked file paths can let reads and writes escape the intended vault, so it needs review before use.

Install only for a dedicated, backed-up vault that does not contain secrets or highly sensitive notes. Before relying on it, patch the scripts to reject absolute paths and ../ traversal, verify resolved paths stay under the vault root, and require explicit user approval for writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of environment-derived configuration plus read/write access to an Obsidian vault, but it does not declare explicit permissions or constraints for those capabilities. That creates hidden authority: an agent may gain broad filesystem access to potentially sensitive notes and modify shared knowledge without a clear policy boundary, increasing the chance of overreach or unsafe invocation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
`read_file` joins the user-supplied `filename` directly with the vault path and only checks `exists()`. An attacker can supply paths like `../../secret.txt` or an absolute path, causing the tool to read files outside the intended Obsidian vault boundary and exfiltrate arbitrary local data.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The script accepts OBSIDIAN_VAULT_PATH from the environment as an alternative to an explicit vault path, which broadens the trust boundary for a write-capable tool. If an attacker can influence the process environment, they may redirect writes and audit logs to an unintended directory, causing unauthorized file modification outside the intended vault.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are very broad, including common language like "check the vault" and "update the business plan," which can cause accidental or ambiguous activation. In a skill with write capabilities, overly permissive invocation increases the risk of unintended reads of sensitive notes or unauthorized modifications to shared documents.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This utility is explicitly designed to enumerate vault files and emit note contents/metadata as JSON or markdown, which can expose sensitive business plans, team information, and open questions to downstream agents or logs. In the context of a shared knowledge-base integration, that exposure is especially risky because vaults often contain high-value internal information and the script provides no consent, scoping, or redaction controls.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.