Obsidian GitHub Sync

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: syncs an Obsidian vault to a user-chosen GitHub repository, including optional scheduled syncing.

Before installing or scheduling this, confirm the vault path and GitHub remote are correct, use a private or intended repository, review .gitignore exclusions, avoid storing secrets in synced notes, test the script manually first, and keep track of any cron/OpenClaw/systemd timer you enable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill automates commits and pushes an Obsidian vault to a remote GitHub repository, but the description does not prominently warn users that potentially sensitive note contents will be uploaded on a schedule. This creates a real risk of inadvertent data exposure, especially because personal vaults often contain secrets, private notes, or regulated information.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The guide instructs users to automate git-based synchronization and conflict resolution workflows that ultimately push vault contents to GitHub, but it does not explicitly warn that private notes may be transmitted to a remote repository. In the context of an Obsidian vault, users may store sensitive personal or work information, so omission of a clear disclosure meaningfully increases the risk of accidental data exposure.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal