Back to skill

Security audit

Obsidian CLI Plugins

Security checks across malware telemetry and agentic risk

Overview

This skill has broad Obsidian vault and Git-sync powers, but the artifacts disclose them and mostly scope them to configured vault workflows.

Install only if you want an agent to edit your Obsidian vault and use Git sync for it. Review the target vault and remote repository first, because normal task/record workflows may commit and push vault changes and copied attachments; use local-only modes when you do not want remote sync.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs the agent to use shell commands, read and write vault files, and consume environment variables, yet it declares no explicit permissions boundary. That mismatch is dangerous because an orchestrator or reviewer may treat the skill as lower-risk than it is, while the documented workflows enable filesystem edits, Git operations, and command execution on the host.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This constants file exposes a command allowlist/catalog that includes broad app-control, plugin/theme management, sync/history restore, workspace manipulation, publish, web, and developer features far beyond the stated purpose of vault automation for configured vaults. In an agent skill context, merely declaring these capabilities can enable later code paths to invoke dangerous or scope-expanding actions, increasing the risk of destructive changes, data exfiltration, or abuse of Obsidian application internals.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The developer command set includes eval, devtools, console, DOM inspection, CDP control, debugging, screenshots, and mobile emulation, which are highly privileged capabilities unrelated to normal vault automation. If reachable by the skill, these features could execute arbitrary JavaScript in the Obsidian/Electron context, inspect sensitive UI/app state, capture content, or pivot into broader host compromise paths.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Publish and web-viewer commands extend the skill from local vault automation into external exposure and arbitrary URL handling, which is outside the documented purpose. In context, this creates unnecessary avenues for accidental publication of private notes, opening untrusted content, or policy bypass through browser-like features.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The configuration hard-codes a Chinese acknowledgement string (`replyContent": "收到媒体,已保存。"`) for a plugin reply path without any indication that the user selected that language. This can override user language expectations and may mislead recipients in multilingual environments, though it is primarily a UX and policy issue rather than a direct security exploit.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow defaults to a sync-backed command that performs local note modifications plus Git commit/pull/push operations, but the instructions do not require an explicit user confirmation or a clear warning that remote repository state may be changed. In an agent setting, this increases the risk of surprising side effects, unintended publication of note contents, or overwriting user expectations when a simple 'add task' request triggers repository synchronization.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The instructions direct the agent to create missing journal notes from templates as part of task insertion, but they do not clearly warn that new files will be created on disk automatically. While this is aligned with the skill's purpose, silent file creation is still a state-changing action that may surprise users or trigger downstream sync/backup workflows.

Missing User Warnings

High
Confidence
83% confidence
Finding
git_commit_push can force-add ignored files, commit them, and push them upstream in one flow, which materially increases the chance of exfiltrating secrets or sensitive local artifacts that were intentionally gitignored. Although paths are normalized to remain inside the repo, there is no in-function confirmation, allowlist, or content sensitivity check before overriding ignore rules and transmitting data to a remote.

Session Persistence

Medium
Category
Rogue Agent
Content
This skill is the required component for Obsidian functionality. It owns vault discovery, Git preflight, record creation, attachment copying, staged-attachment consumption, and sync.

The `obsidian-media-claim` OpenClaw plugin is optional. It does not replace this skill and cannot create Obsidian records by itself. Its main purpose is to claim media-only channel uploads before OpenClaw sends them to the LLM, stage readable media paths for this skill, and avoid unnecessary token spend. If the plugin is absent, text records and explicit local `--attach` records still work through this skill, but media-only-then-text channel uploads need manual/runtime staging and may otherwise involve the model.

## Trigger Rules
Confidence
79% confidence
Finding
create Obsidian records by itself. Its main purpose is to claim media-only channel uploads before OpenClaw sends them to the LLM, stage readable media paths for this skill, and avoid unnecessary token

Session Persistence

Medium
Category
Rogue Agent
Content
## Skill and plugin dependency

`obsidian-cli-plugins` is required for the Obsidian side of this workflow. It provides the commands that create notes, copy attachments into record assets, consume staged media, run Git preflight, commit, and sync.

`obsidian-media-claim` is optional. Install it only when OpenClaw channel uploads should be claimed before model dispatch. Its main value is cost and behavior control: media-only uploads are acknowledged and staged without asking the LLM to inspect or reason about the media. The later text instruction can then use this skill's `attachment-pending` and `--staged-attachment` workflow.
Confidence
88% confidence
Finding
create notes, copy attachments into record assets, consume staged media, run Git preflight, commit, and sync. `obsidian-media-claim` is optional. Install it only when OpenClaw channel uploads should

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/tests/test_sync_openclaw.py:11