web-to-obsidian

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated web-to-Obsidian purpose, but it needs review because it sends user URLs to third-party services and weakens HTTPS protections.

Install only if you are comfortable with submitted URLs being processed by third-party services and fetched content being written into your Obsidian vault. Avoid private, intranet, token-bearing, or sensitive URLs unless the skill is changed to use normal HTTPS verification, direct/local fetching by default, explicit third-party opt-in, and a unique secure temporary file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill performs network-capable actions to fetch remote web content, but no explicit permissions are declared. This weakens the trust boundary for users and the platform because the skill can transmit user-supplied URLs and retrieve remote data without clear upfront authorization. In this context, the capability is central to the skill, but the lack of declaration still creates a real security and transparency gap.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented behavior omits materially important actions: sending URLs to third-party content-cleaning services and disabling SSL certificate verification during network requests. These omissions are dangerous because they expose user activity and potentially sensitive target URLs to external parties, while SSL bypass enables man-in-the-middle tampering or interception of fetched content. The skill context increases risk because users may assume article import is local or direct when it is actually routed through external services.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code globally disables TLS certificate validation and hostname verification for every outbound request. This allows man-in-the-middle interception and tampering of fetched content, which is especially risky for a tool that imports remote content into a user's knowledge base and may be used on untrusted networks.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The fetcher silently rewrites user requests to third-party services (r.jina.ai, markdown.new, defuddle.md), disclosing the target URL and relying on external processors not clearly described by the skill's core purpose. This expands the trust boundary and can leak sensitive URLs, access patterns, or internal links a user intended to fetch directly.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script globally disables certificate validation and hostname verification for all outbound HTTPS checks, which allows a man-in-the-middle attacker or hostile network to spoof the target service and influence reachability tests. In this skill, those tests decide which third-party fetch service will receive the user's URL, so tampered TLS can misroute requests or hide failures.

Intent-Code Divergence

Low

Confidence: 91% confidence
Finding: The comment suggests SSL verification is skipped only in limited cases, but the implementation applies insecure TLS settings to every URL probe. This mismatch increases risk because maintainers may believe the exception is narrow while the code silently weakens transport security across the whole preprocessor.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough that the skill may activate in situations the user did not intend, especially around generic requests like saving or importing web content. Over-broad activation can lead to unintended network access, translation, metadata generation, file creation, and import into Obsidian without sufficiently specific user consent. While not inherently malicious, this increases the chance of accidental data handling.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill writes fetched content into a predictable local file name, temp.md, and then deletes it, but does not clearly warn the user or obtain confirmation. This can expose sensitive content locally, create race or overwrite issues, and interfere with existing files in the current directory if a temp.md already exists. The danger is higher because the fetched content may include private or copyrighted material and the working directory may be shared or synced.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow sends webpage URLs and potentially related retrieval activity to external fetch/cleaning services, but the documentation lacks a clear privacy and data-transfer warning. Users may provide private, internal, or sensitive links expecting local processing, and those links could then be disclosed to third parties. In a web-clipping skill, undisclosed external transmission is a meaningful privacy vulnerability.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The eval prompts are very broad natural-language requests that can trigger the skill whenever a user mentions saving or fetching a webpage into Obsidian, without clear boundaries on when the skill should activate. In an agent setting, this increases the chance of overbroad invocation, unintended network fetches, and writing unreviewed external content into a local vault based on ambiguous user input.

Natural-Language Policy Violations

Medium

Confidence: 85% confidence
Finding: The eval expectations require Chinese translation/output even when the prompt only asks to save the article, not to translate it. This creates a behavioral policy mismatch where the agent may transform user data or third-party content without explicit consent, which can surprise users, reduce fidelity, and introduce privacy or integrity concerns if content is altered by default.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: User-supplied URLs are transmitted to third-party cleaning services without an explicit warning or consent flow. If users provide private, tokenized, intranet, or otherwise sensitive links, those URLs may be exposed to external operators and logged outside the user's control.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code sends the user-provided URL to external services (r.jina.ai, markdown.new, defuddle.md) to test and transform it without explicit notice or consent. URLs can contain sensitive internal hosts, private document links, tokens, or query parameters, so forwarding them to third parties creates a real privacy and data-leak risk in a tool whose purpose is just saving web content to Obsidian.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal