Obsidian - read, search, write and edit direct to obsidian vault.

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its Obsidian note-taking purpose, but its file-writing helper is not clearly confined to the vault and could create or overwrite Markdown files outside it.

Before installing, set the vault path to the exact Obsidian vault you want the agent to access, keep backups or version history for important notes, avoid absolute or '../' folder values, and review or patch the script so note creation cannot write outside the vault or silently overwrite existing files.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern

ASI02: Tool Misuse and Exploitation

What this means

A mistaken, malicious, or injected folder value could make the agent create or overwrite a Markdown file outside your intended vault, under the user account's normal file permissions.

Why it was flagged

The folder argument is used directly to build the write path, then the file is written. The shown function does not reject absolute paths, '..' traversal, or existing target files, so a create operation is not clearly limited to the intended Obsidian vault.

Skill content

def create_note(vault: Path, title: str, content: str = '', folder: str = None,
...
    if folder:
        note_dir = vault / folder
        note_dir.mkdir(parents=True, exist_ok=True)
...
    note_path = note_dir / f"{safe_title}.md"
...
    note_path.write_text(full_content, encoding='utf-8')

Recommendation

Constrain folder paths by resolving them under the vault, reject absolute paths and '..' segments, check before overwriting existing files, and require explicit user confirmation for any write outside the expected vault folder.

Note

ASI06: Memory and Context Poisoning

What this means

Searches and answers may expose the contents of notes in the configured vault to the active agent session.

Why it was flagged

The search helper reads Markdown files across the configured vault and returns matched context to the agent. This is purpose-aligned for a knowledge-base skill, but it means private notes can enter the agent context.

Skill content

for md_file in vault.rglob('*.md'):
...
        content = md_file.read_text(encoding='utf-8')
...
                            'context': context[:500]

Recommendation

Point the skill only at the vault you intend the agent to read, avoid storing secrets in that vault, and treat retrieved note text as untrusted context rather than instructions.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

It is harder to verify who maintains the skill or compare it against an upstream project.

Why it was flagged

The package does not provide an upstream source or homepage for independent verification. No remote install behavior is shown, so this is a provenance note rather than evidence of malicious behavior.

Skill content

Source: unknown
Homepage: none

Recommendation

Install only if you trust the publisher, and review the included scripts before allowing them to modify important notes.