ClawHub
Back to skill

Security audit

Obsidian Assistant

Security checks across malware telemetry and agentic risk

Overview

This Obsidian helper openly stores vault-related preferences for personalization, so users should treat it as privacy-sensitive but not inherently unsafe.

Install only if you want a persistent Obsidian assistant that remembers your vault setup across conversations. Before sharing command output, screenshots, full paths, note titles, or directory listings, redact anything private. Periodically inspect or clear references/habit-patterns.md if it stores more detail than you want retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes persistent profile storage and automatic file/template writes without a prominent upfront warning or consent model. This is dangerous because users may reveal sensitive vault structure, tags, paths, or workflow metadata without understanding that it will be retained and reused across conversations or written back to disk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly states it will continuously record the user's Obsidian habits, vault structure, tag logic, and workflow patterns, but provides no notice, consent step, retention policy, or scope limitation. This creates a privacy and profiling risk because users may reveal sensitive filesystem, work-process, or knowledge-management details that are then persistently stored across sessions without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the assistant to immediately read local reference files on activation, including habit records, without first informing the user that local files will be accessed. Silent access to local context files is risky because those files may contain sensitive personal or operational information, and the user is not given a chance to approve or limit that access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires updating a persistent habit profile after every interaction whenever new user information is discovered, again without any user-facing disclosure or consent. Ongoing silent accumulation of behavior, preferences, pain points, and environment details increases profiling risk over time and can expose sensitive personal work patterns if the file is later accessed or misused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly states that the assistant will continuously accumulate the user's actual Obsidian operation patterns and preferences over time, but it provides no notice, consent mechanism, retention limit, or guidance on handling potentially sensitive knowledge-base metadata. Because Obsidian vault structure, tags, templates, plugins, and workflows can reveal personal projects, habits, and sensitive organizational information, silent long-term profiling creates a real privacy and data-minimization risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger words for the Capture mode include very common phrases such as '新建' that are not uniquely tied to Obsidian usage. This can cause the skill to activate on unrelated user requests, leading to inappropriate context capture or workflow execution in situations outside the intended domain.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Organize-mode triggers use vague general-purpose words like '整理' and '分类' without constraining them to notes or vault content. Because these terms are common in everyday requests, the skill may be invoked for unrelated organization tasks and apply retained Obsidian-specific assumptions to the wrong context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Retrieve-mode terms like '搜索', '查找', and '查询' overlap heavily with generic assistant usage and are not specific to Obsidian. This ambiguity increases the chance of accidental activation, which can route ordinary search requests into the skill and expose or misuse stored assumptions about the user's note-taking environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Output-mode triggers such as '写作', '输出', and '导出' are broad productivity terms that apply far beyond Obsidian. In this skill, that is more concerning because the metadata states the assistant records user habits and optimizes workflows, so accidental activation may pull in persistent note-context where the user did not intend Obsidian-specific handling.

Ssd 3

Medium
Confidence
95% confidence
Finding
This section explicitly states that the skill maintains a persistent profile containing user-specific vault path, sync method, structure, tags, plugins, and habits. Persistently accumulating this metadata increases privacy and security risk because it can expose sensitive filesystem details, organizational patterns, and operational habits that could be misused if accessed by unauthorized parties or retained longer than expected.

Ssd 3

Medium
Confidence
94% confidence
Finding
Automatically writing newly observed habits back to a persistent profile creates silent state changes based on conversation content. This is risky because the assistant may store sensitive or incorrect inferences without user review, leading to privacy leakage, profiling, and potentially unsafe downstream personalization based on stale or mistaken data.

Ssd 3

Medium
Confidence
90% confidence
Finding
Framing the assistant as progressively building a detailed long-term model of the user's vault indicates ongoing profiling beyond a single interaction. In the context of a knowledge-management skill, that model can contain highly revealing behavioral and structural data, making the persistent accumulation itself a meaningful privacy/security concern if not bounded by consent, minimization, and transparency.

Ssd 3

Medium
Confidence
95% confidence
Finding
This is a true persistent-data vulnerability: the skill is designed to collect and retain user vault structure, habits, and pain points across interactions in a maintained profile. While the apparent goal is personalization rather than abuse, the persistent profiling of user behavior and workspace metadata materially increases privacy exposure and can reveal sensitive operational context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill proactively elicits vault path, directory structure, tag taxonomy, plugin inventory, and workflow details, then saves them into a persistent profile. These details can disclose sensitive file locations, project organization, tools in use, and working habits, making the collection more dangerous than ordinary conversational personalization.

Ssd 3

Medium
Confidence
95% confidence
Finding
The habit-collection workflow instructs the assistant to request system and workflow details such as vault root, directory layout, tags, plugins, and common tasks, then write all collected information into a reference file. Persistently storing this operational metadata can expose private knowledge-base structure and personal work habits, especially if the reference file is accessible to other tools or users.

Ssd 3

Medium
Confidence
97% confidence
Finding
Mandating profile updates after every interaction creates continual surveillance-like accumulation of user habits, pain points, and environment details. Even if intended to improve assistance, this broad and automatic persistence substantially increases privacy risk because it builds a long-lived behavioral dossier without clear boundaries or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.