ClawHub

Obsidian Save Article

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a real Obsidian article-saving helper, but it has under-scoped browser/session fallback and image downloading behavior that users should review before installing.

Review before installing. Use this only for URLs you are comfortable sending to Jina.ai and saving into your Obsidian vault. Avoid private, tokenized, intranet, paywalled, or logged-in pages unless you explicitly intend to archive that content. The image downloader should ideally be tightened to allow only http/https public hosts and enforce download size/count limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as saving articles into a local Obsidian vault, but it routes requested URLs through `https://r.jina.ai/`, disclosing user-supplied links and potentially page-derived content to a third party. This creates a data-sharing risk that is not obvious from the core description, especially if users save private, internal, or sensitive URLs.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented fallback includes using a browser tool to access logged-in or restricted content, which materially expands the skill's power beyond simple public article saving. That can expose authenticated content, session-bound data, or private pages to local storage and downstream processing in ways the high-level description does not clearly bound.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script sends the target article URL to the external service r.jina.ai to obtain markdown, which introduces third-party data disclosure not implied by a local save/conversion utility. Even if only the URL is transmitted directly, the article content and user access patterns may be exposed to that external provider, creating a privacy and trust boundary violation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill omits a clear user-facing disclosure that article URLs and content requests may be sent to Jina.ai. This is dangerous because users may assume all processing is local and unknowingly transmit sensitive browsing targets or content metadata to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill stores the vault path in a persistent config file and writes article content and images into the user's local or iCloud vault, but this persistence and storage behavior is not prominently disclosed as a user-facing warning. That matters because it affects privacy, data retention, and where potentially sensitive article material is stored long-term.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code contacts a third-party service for article processing without clear user notice or consent, which can leak browsing targets, potentially sensitive article contents, and usage metadata. In the context of an Obsidian local-save skill, users would reasonably expect local handling, so this undisclosed outbound transfer is more dangerous due to violated privacy expectations.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal