ClawHub

Obsidian Inbox Pipeline

Security checks across malware telemetry and agentic risk

Overview

This Obsidian automation skill is mostly transparent, but its daily pipeline can automatically run code from outside the reviewed skill and handle sensitive vault content, so it should be reviewed before use.

Install only if you are comfortable giving it access to your Obsidian vault. Before enabling cron, Telegram, Feishu, sibling radar skills, or vault index rebuilding, inspect those scripts and confirm exactly what content will be read, written, executed, or sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'path' from os.environ.get (line 27, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def write_note(path: str, content: str) -> str:
    os.makedirs(os.path.dirname(path), exist_ok=True)
    with open(path, 'w', encoding='utf-8') as f:
        f.write(content)
    return path
Confidence
95% confidence
Finding
with open(path, 'w', encoding='utf-8') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs users to use environment variables, local file paths, cron, shell scripts, and optional network-backed integrations such as Telegram and Feishu, yet no explicit permissions are declared. This creates a transparency and consent gap: an agent or user may underestimate that the skill can read secrets from the environment, write into an Obsidian vault, invoke shell commands, and send data to external services.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script executes a Node.js file from `${OBSIDIAN_VAULT_PATH}/scripts/rebuild_index.mjs`, which is outside the skill’s own trusted codebase and can be modified by vault content or other local processes. In an automation pipeline, this expands the trust boundary and can lead to arbitrary code execution whenever the pipeline runs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When --include-content is used, the script reads full-text search results from the vault and prints matching note content directly to stdout. In a knowledge-base skill, notes may contain secrets, personal data, tokens, or internal documents, so this behavior can disclose sensitive content to logs, calling agents, chat transcripts, or downstream integrations without an explicit warning or consent boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section sends generated report contents to Telegram using bot credentials, but the script provides no prominent warning, consent gate, or data classification check before transmission. Because the pipeline ingests arbitrary content into Obsidian, users may unknowingly forward sensitive notes or scraped material to an external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This block exchanges Feishu app credentials for a token and sends report content to Feishu without any clear warning or user confirmation in the script itself. In a knowledge-ingestion workflow, that can exfiltrate potentially sensitive generated content and metadata to an external messaging platform unexpectedly.

VirusTotal

No VirusTotal findings

View on VirusTotal