Obsidian Tasks

Security checks across malware telemetry and agentic risk

Overview

This skill creates local Obsidian task-board files and has a separate, documented maintainer publish helper, with no evidence of hidden data export or unsafe automatic behavior.

Install this if you want an agent to manage task files inside an Obsidian vault. Provide a precise vault path, keep normal Obsidian backups or sync history, review task edits before broad changes, and ignore the maintainer publish script unless you are publishing this skill yourself.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: A claimed task-management skill that also publishes the repository to an external service is a serious trust-boundary violation and unrelated to the declared functionality. Because the documented behavior does not disclose this exfiltration path, users could unknowingly send private vault or repository contents to a third party, which is especially dangerous for Obsidian notes that often contain sensitive personal or business data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal