Back to skill

Security audit

Plugin Orchestration Protocol

Security checks across malware telemetry and agentic risk

Overview

This Obsidian automation skill is not clearly malicious, but it needs review because it can drive broad vault changes, exports, environment-variable access, and external AI/tool integrations without clear confirmation or scoping.

Install only if you trust the separate Obsidian plugin, Rust bridge, and host tools it depends on. Use a test vault first, disable or restrict delete/update/templater/environment-variable actions, require approval before writes or exports, and opt in explicitly before any vault content is sent to an external AI provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The `ai_expand` entry explicitly states it may "fall back to Claude API directly if no plugin is installed," which expands the trust boundary from local Obsidian plugin orchestration to external network/API access. That creates undocumented outbound data flow and changes the skill from a local bridge/catalog into a component that can transmit vault content to a third party, increasing privacy and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The catalog includes host-level dependency instructions (`pip install autofigure`) for a bridge-executed tool, which broadens the system from plugin orchestration into arbitrary host-side package execution. This increases attack surface because the bridge host may execute or rely on external code outside Obsidian's plugin model, with weaker isolation and more potential for supply-chain or local execution abuse.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Declaring export via the external Pandoc binary extends behavior beyond a simple WebSocket bridge to invoking host binaries, which can expose the system to command-execution and file-write risks if parameters are not tightly controlled. Even if intended for legitimate document conversion, this materially enlarges the operational scope and security boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly defines pipelines that create notes, merge content, export files, and otherwise modify the Obsidian vault, but it provides no requirement for explicit user confirmation, dry-run behavior, scope limitation, or rollback safeguards before executing data-changing actions. In an orchestration skill that can chain multiple steps automatically over WebSocket, this omission materially increases the risk of unintended file creation, modification, deletion-equivalent overwrites, or bulk changes from ambiguous prompts or malformed pipeline definitions.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The manifest discovery phase enumerates installed plugins and exposed actions, which can reveal sensitive information about a user's environment, workflows, capabilities, and potentially security-relevant tooling. Because the skill presents this as a standard first step without any privacy disclosure, minimization guidance, or consent requirement, it risks silent collection and transmission of environment metadata that users may not expect to share.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation description uses broad phrases such as 'Obsidian plugin,' 'pipeline orchestration,' and 'knowledge pipeline,' which could trigger the skill in contexts where the user is discussing concepts rather than intending to invoke a live orchestration protocol. For a skill capable of initiating authenticated WebSocket-based workflows against local tools, overbroad activation increases the chance of accidental invocation and unintended sensitive operations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The built-in pipeline trigger phrases include generic language like 'draft paper,' 'write paper,' and 'research digest,' which can appear in ordinary conversation without any intention to launch an automated pipeline. Given that these triggers map to multi-step workflows with vault actions and external orchestration components, weak context constraints make accidental execution more plausible and therefore more dangerous.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The markdown describes automatic publication with authentication but provides no user warning, consent checkpoint, or privacy notice. In an orchestration skill context, users may reasonably believe content could be sent to an external service, which increases the risk of unintended disclosure of sensitive notes or generated material if the documented behavior is later implemented or trusted operationally.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The catalog advertises state-changing actions such as `update_note` and `delete_note` without any warning, confirmation expectation, or safety constraints. In an orchestration context, documenting destructive primitives as routine capabilities can normalize unsafe automation and increase the chance of accidental or unauthorized vault modification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section describes external/API and bridge-mediated operations, including direct Claude API fallback and a localhost coherence bridge, without warning that note content may leave the local vault or traverse additional services. In a knowledge-management tool, undisclosed outbound transmission is a meaningful privacy and confidentiality risk because users may assume plugin orchestration remains local.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The protocol exposes destructive vault actions such as update_note and delete_note, plus export and merge operations, without any requirement for user confirmation, authorization scoping, or safety prompts. In the context of an Obsidian automation bridge, a connected local process could modify or destroy notes and exfiltrate content through exports, making the lack of guardrails materially risky.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The variable reference syntax explicitly allows $ENV_VAR access with no privacy or credential-handling restrictions. In a pipeline system connected over WebSocket, this can enable a peer to resolve secrets from the host environment and then write or export them via note content or pipeline outputs, creating a clear credential-exfiltration path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.