Security audit

Obsidian Headless

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Obsidian note-management tool whose file access and note edits match its stated purpose, with some setup and privacy caveats users should review.

Install only if you are comfortable letting the skill read, create, append, search, and delete Markdown files in the Obsidian vault you configure. Review install.sh before running it, especially the shell alias and symlink setup, and keep backups of important notes before using delete workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly documents shell execution, installation scripts, and filesystem operations, but no permissions are declared. This creates a transparency and consent problem: a caller may invoke a skill with command execution capability without an explicit permission boundary, increasing the chance of unintended file modification or command use.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The documented behavior goes beyond the concise declared purpose by including reading note contents, enumerating vault structure, changing configured vault paths, and installation steps that modify shell startup files or create command links. This mismatch weakens informed consent and can lead users or orchestrators to grant trust for a narrower note-management function than the skill actually performs.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: Using an overly broad trigger like “笔记” can cause accidental activation during normal conversation, especially in a general assistant setting. Because this skill can read, create, and delete files in a configured vault, unintended triggering meaningfully increases the risk of unwanted data disclosure or modification.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation explicitly supports viewing notes and searching note contents, but it does not warn users that command output may reveal sensitive information in plaintext to the terminal, logs, shell history context, or upstream agent transcripts. In a headless/CLI environment, this omission increases the risk of accidental disclosure of private notes, credentials, personal data, or internal documentation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The installer appends an alias directly to the user's shell startup file without first obtaining explicit confirmation. Modifying persistent shell configuration can have unintended side effects, can override existing user expectations, and is risky in an agent-driven context where installation may be triggered non-interactively or with limited user scrutiny.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.