obsidian-cli
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides an interface to execute a wide range of terminal commands using the
obsidianCLI, allowing the agent to manipulate the local file system and application state. - [REMOTE_CODE_EXECUTION]: The inclusion of the
evalcommand inreferences/commands.mdallows the agent to execute arbitrary JavaScript code within the Obsidian application's runtime environment. This is a critical risk as it could be used to perform unauthorized actions or exfiltrate data. - [EXTERNAL_DOWNLOADS]: Commands such as
plugin:installandtheme:installenable the agent to download and install external code from community repositories, which may not be vetted for security. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks because it is designed to read and process content from user-controlled notes.
- Ingestion points: Content is ingested through
obsidian read,obsidian search, andobsidian daily:readcommands. - Boundary markers: There are no instructions or delimiters provided to prevent the agent from following instructions embedded within the notes it reads.
- Capability inventory: The agent possesses powerful capabilities including
eval,delete,move, andplugin:install. - Sanitization: No evidence of content validation or sanitization exists to mitigate the risk of malicious instructions contained within processed data.
Recommendations
- AI detected serious security threats
Audit Metadata