Back to skill

Security audit

Obsidian Headless

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Obsidian note-management tool whose file access and note edits match its stated purpose, with some setup and privacy caveats users should review.

Install only if you are comfortable letting the skill read, create, append, search, and delete Markdown files in the Obsidian vault you configure. Review install.sh before running it, especially the shell alias and symlink setup, and keep backups of important notes before using delete workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly documents shell execution, installation scripts, and filesystem operations, but no permissions are declared. This creates a transparency and consent problem: a caller may invoke a skill with command execution capability without an explicit permission boundary, increasing the chance of unintended file modification or command use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The documented behavior goes beyond the concise declared purpose by including reading note contents, enumerating vault structure, changing configured vault paths, and installation steps that modify shell startup files or create command links. This mismatch weakens informed consent and can lead users or orchestrators to grant trust for a narrower note-management function than the skill actually performs.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Using an overly broad trigger like “笔记” can cause accidental activation during normal conversation, especially in a general assistant setting. Because this skill can read, create, and delete files in a configured vault, unintended triggering meaningfully increases the risk of unwanted data disclosure or modification.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation explicitly supports viewing notes and searching note contents, but it does not warn users that command output may reveal sensitive information in plaintext to the terminal, logs, shell history context, or upstream agent transcripts. In a headless/CLI environment, this omission increases the risk of accidental disclosure of private notes, credentials, personal data, or internal documentation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer appends an alias directly to the user's shell startup file without first obtaining explicit confirmation. Modifying persistent shell configuration can have unintended side effects, can override existing user expectations, and is risky in an agent-driven context where installation may be triggered non-interactively or with limited user scrutiny.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.