Back to skill

Security audit

Obsidian Perfect

Security checks across malware telemetry and agentic risk

Overview

This is a broad Obsidian controller with no evidence of theft or malware, but it gives an agent wide read, write, delete, and command authority over a private vault with weak safety boundaries.

Install only if you are comfortable giving the agent broad access to your Obsidian vault. Use a test or backed-up vault first, keep the REST API bound to localhost, restrict the API key, and require explicit confirmation for moves, merges, deletes, overwrites, bulk scans, and obsidian-command actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The helper `findReferences` is presented as identifying which notes reference a broken link, but it actually returns the first three file names regardless of whether they contain the link. This can mislead users into editing unrelated notes and hide the true source of broken links, undermining integrity of the diagnostic output.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README shows very broad natural-language trigger examples such as 'daily', 'busca arquitetura', 'status do vault', and 'nova task', which overlap with ordinary user conversation. In an agent skill context, ambiguous triggers can cause the agent to invoke powerful note, search, or modification actions unintentionally, especially because this skill exposes creation, update, search, and command-execution capabilities over a private knowledge base.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises broad capabilities across note management, folder operations, search, metadata editing, and especially 'obsidian-command' execution, but it does not prominently warn about privacy exposure or the operational impact of these actions. In this context, the skill can read and alter potentially sensitive personal knowledge-base contents and perform destructive or wide-ranging actions, so underspecified safeguards materially increase the risk of misuse or accidental data loss.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The package description advertises a very broad capability set for controlling Obsidian via REST, including CRUD, search, templates, Dataview, and Zettelkasten features, but it does not define activation boundaries, allowed operations, or user-consent constraints. In an agent skill context, overly broad scope increases the chance the skill is invoked for sensitive note operations beyond user expectations, which can enable unintended data access or modification.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
This function creates a new canvas and inserts notes automatically based on search results, with no explicit confirmation step or preview of which notes will be included. In an agent context, that can cause unintended modification of a user's workspace and accidental aggregation of sensitive notes into a new artifact, especially when the `theme` or `tags` are broad.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Automatically opening the generated canvas triggers an additional side effect beyond creation, without a user-facing disclosure at the point of action. While lower impact than data modification, this can still surprise users, alter their UI state, and increase the stealthiness of unauthorized workspace changes made by an agent.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The function constructs a Dataview query directly from untrusted `from` and `sortBy` inputs and sends it to the backend without validation or constraints. If an attacker can control these fields, they may manipulate query scope to enumerate unintended notes/tasks or abuse the query interface beyond the expected task listing behavior.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
When `includeContent` is enabled by default, the skill reads the full contents of every markdown file in the target folder and derives statistics from them. Even though the data is not obviously exfiltrated here, this expands access from metadata-only listing to bulk content inspection without an explicit user-facing consent boundary, which can expose sensitive note contents in agent workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This tool performs a persistent write to vault content via a PUT request without any confirmation, dry-run mode, or in-file safeguard indicating that user approval is required before modification. In an agent setting, that increases the risk of unintended or automated note tampering, especially because both source and destination notes can be modified when bidirectional linking is enabled.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function deletes the secondary note by default immediately after merging, with no confirmation, dry-run mode, or rollback check. In an agent context, a mistaken path, prompt-influenced tool call, or unexpected merge result can cause irreversible data loss because the code also does not verify the PUT succeeded before issuing DELETE.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function implements a destructive move by creating a new file and then deleting the original, but it provides no confirmation, dry-run mode, overwrite protection, or safeguard against accidental invocation. In an agent setting, a mistaken path or destination, prompt injection, or unsafe automation could cause unintended data loss or file relocation with limited recovery options.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The rename operation is effectively destructive: it creates a new note and then deletes the old one, with no validation that the write succeeded semantically, no collision handling, and no confirmation or safeguard before deletion. In an agent context, this can cause unintended data loss or silent overwrite behavior if invoked on the wrong target or with a conflicting `newName`.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The fallback path enumerates vault contents and reads every markdown file in the target folder to infer tags, which can expose substantially more note data than the caller may expect from a simple tag search. In an agent/tooling context, this broad collection behavior increases privacy risk because a failed primary search silently degrades into bulk vault scanning without explicit disclosure or scope minimization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill enumerates the entire vault and then fetches note contents broadly to analyze backlinks and orphan status, without any user-facing notice, consent prompt, or scope restriction. Even though this serves the stated feature, vault-wide content access can expose sensitive note contents unexpectedly and increases privacy risk, especially if invoked in contexts where users may not realize the breadth of access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This tool reads a template and then overwrites a note through an API without any explicit confirmation, dry-run, or guardrail around destructive modification. In an agent setting, a misinterpreted instruction, prompt injection, or incorrect path can cause unintended note corruption or data loss, especially because existing content may be rewritten automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill enumerates the entire vault and then fetches the full text of every markdown file to compute aggregate statistics. Even if the output is summarized, this creates bulk access to potentially sensitive notes without any consent gate, scope restriction, or user-facing disclosure, which increases privacy and data-exposure risk if the tool is invoked unexpectedly or by a broader agent workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.