Back to skill

Security audit

Obsidian KB

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Obsidian knowledge-base helper that performs local scans and writes local rule/export files, with no evidence of hidden or unrelated behavior.

Install only if you want an agent to inspect your Obsidian Markdown folder structure and maintain local classification files. Before running scans or rule edits, confirm the exact vault path and both write locations, avoid broad parent directories, and keep a backup before syncing or exporting data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs updating rule files in two locations, including a global path under ~/.claude, but does not require explicit user confirmation or clearly warn that configuration files will be modified. This can lead to unintended persistent changes to user settings/workspace state, especially if the vault or workspace path is misconfigured or attacker-influenced.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The rule-adjustment workflow modifies classification rules and syncs them to multiple locations without a strong safety gate. Because these are user configuration artifacts, silent or poorly disclosed edits can corrupt rules, create unwanted persistence, or overwrite expected settings across both global and workspace contexts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The export workflow writes structured files containing knowledge-base metadata to disk, but the skill does not prominently warn about data creation, storage location, or sensitivity of the exported content. This creates a risk of accidental disclosure of folder names, counts, and organizational metadata if exports are written to shared, synced, or insecure locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal