obsidian
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an
obsidian evalcommand in thereferences/cli-reference.mdfile, which enables the execution of arbitrary JavaScript code within the application's environment. This grants the agent direct access to the internal Obsidian API and the underlying system via the Electron framework.- [EXTERNAL_DOWNLOADS]: Theobsidian plugin:installcommand allows the agent to fetch and install third-party community plugins. This mechanism facilitates the execution of unverified remote code with the same privileges as the main application.- [COMMAND_EXECUTION]: The skill defines several high-risk CLI commands, includingobsidian commandfor executing internal app functions andobsidian dev:screenshotfor capturing images of the vault content, which could lead to unauthorized data exposure.- [PROMPT_INJECTION]: The skill exposes a significant surface for indirect prompt injection. Ingestion points: The agent can ingest untrusted data viaobsidian read,obsidian search,obsidian dev:dom, andobsidian web. Boundary markers: No boundary markers or 'ignore instructions' delimiters are specified for processing this data. Capability inventory: The skill possesses high-impact capabilities includingobsidian eval(arbitrary JS),obsidian plugin:install(RCE), and file system modifications (create,delete,move). Sanitization: No sanitization or validation logic is present to filter malicious instructions from processed content.
Recommendations
- AI detected serious security threats
Audit Metadata