Back to skill

Security audit

Obsidian Daily Note

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: save user-directed notes into an Obsidian daily note, with normal privacy caveats for local persistence and URL fetching.

Install only if you want the agent to write selected content into your Obsidian vault. Do not send secrets, regulated data, private screenshots, or sensitive URLs unless you are comfortable with them being saved locally and possibly synced by Obsidian or related backup tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to fetch supplied URLs to extract titles without warning that this can contact external servers. If a user pastes sensitive internal, tokenized, or private URLs, the fetch may disclose access patterns or transmit secrets in the URL to third parties, creating a privacy and data-leak risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill persists arbitrary user content and attachments to local files but does not clearly warn the user at the point of use that the data will be stored on disk. This can lead to accidental retention of sensitive notes, credentials, screenshots, or regulated data in a persistent location the user may not realize is being written to.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: obsidian-daily-note
description: "Write structured entries into an Obsidian daily note vault. Use when the user sends text, links, or content to be recorded, including research notes, task summaries, ideas, URLs, or meeting takeaways. Triggered by phrases like 记一下, 写入笔记, 记录, 帮我记, 写进obsidian, or when the user pastes URLs. On first use, guides setup of the Obsidian vault path."
agent_created: true
---
Confidence
91% confidence
Finding
Write structured entries into an Obsidian daily note vault. Use when the user sends text, links, or content to be recorded, including research notes, task summaries, ideas, URLs, or meeting takeaways.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.