Security audit

Obsidian 1

Security checks across malware telemetry and agentic risk

Overview

This skill is a short Obsidian helper that documents expected note-vault commands, with no hidden code or automatic behavior found.

Install only if you intend to let an agent operate on your Obsidian vaults. Before using delete or move commands, confirm the active vault and exact note path, and keep backups or use an archive/trash workflow for important notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly documents `obsidian-cli delete "path/note"` without any warning, confirmation guidance, backup recommendation, or advice to verify the target vault/path first. In a tool that operates on users' real note vaults, this can normalize destructive actions and increase the chance of accidental data loss, especially when multiple vaults or ambiguous note paths exist.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal