Description-Behavior Mismatch
Medium
- Confidence
- 89% confidence
- Finding
- The `ai_expand` entry explicitly states it may "fall back to Claude API directly if no plugin is installed," which expands the trust boundary from local Obsidian plugin orchestration to external network/API access. That creates undocumented outbound data flow and changes the skill from a local bridge/catalog into a component that can transmit vault content to a third party, increasing privacy and data-handling risk.
