Obsidian Cleaner

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local Obsidian cleanup tool, but it needs review because it can move notes and text files, not just attachments.

Review before installing. If used, run the dry-run command first and check every proposed move. Do not run the live cleanup unless you are comfortable with root-level .md and .txt files being moved, or edit the extension list to remove those file types.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 83% confidence
Finding: If the underlying skill actually moves .md and .txt files and accepts arbitrary vault and attachment paths, then its behavior exceeds the user-facing description and can modify non-attachment content or operate outside the intended Obsidian vault. That mismatch is dangerous because users may invoke a seemingly narrow cleanup action while the tool performs broader file reorganization on arbitrary directories.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The tool’s manifest says it cleans up loose images and attachments, but the supported extension list includes .md and .txt, allowing it to move actual notes from the vault root into the Attachments folder. In Obsidian, moving note files can break user organization, workflows, and links or cause unintended content changes, especially because the operation is destructive by default rather than preview-only.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrase "clean attachments" is broad enough to match unrelated user requests involving email, chat, ticketing systems, or other document repositories. In an agent environment with file-moving capabilities, ambiguous activation can cause unintended execution against the wrong context or dataset.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The description says the skill will 'Automatically clean up' attachments, which implies autonomous file-moving behavior without defining scope, safeguards, or user confirmation. In a filesystem-manipulating skill for an Obsidian vault, ambiguous automation can cause unintended file movement, broken links, or data loss if triggered too broadly or at the wrong time.

Natural-Language Policy Violations

Low

Confidence: 84% confidence
Finding: The wording prescribes automatic action but does not clarify that the user must explicitly approve the cleanup operation before files are moved. Even if intended as convenience, omission of opt-in language increases the chance that users misunderstand the level of autonomy and permit unwanted modifications to vault contents.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The package description advertises automatic activation on broad natural-language phrases such as "clean obsidian" and "clean attachments" without any visible constraint, confirmation step, or scoping language. In a skill that moves files inside an Obsidian vault, broad triggers increase the chance of unintended invocation and accidental file operations, which can disrupt notes, attachments, or user workflow.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal