obsidian-cli
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The 'obsidian eval' command enables the execution of arbitrary JavaScript code within the context of the Obsidian application. This allows for unverified code to be executed, bypassing standard safety constraints and potentially accessing Electron/Node.js APIs if enabled by the app.
- [COMMAND_EXECUTION]: The skill provides powerful file system management commands, most notably 'obsidian delete' with a 'permanent' flag that skips the system trash, and 'obsidian move', which could be used to delete or hide sensitive files.
- [DATA_EXFILTRATION]: Multiple commands facilitate the extraction of potentially sensitive information from the vault, including 'obsidian read' for file contents, 'obsidian dev:dom' for extracting UI text, and 'obsidian dev:screenshot' for capturing visual snapshots of the application.
- [PROMPT_INJECTION]: The skill presents a high surface for indirect prompt injection attacks. 1. Ingestion points: Vault content is ingested through 'obsidian read', 'obsidian search', and 'obsidian dev:dom'. 2. Boundary markers: There are no instructions or markers to prevent the agent from following malicious commands found within the ingested vault data. 3. Capability inventory: The skill provides arbitrary code execution ('obsidian eval') and file deletion ('obsidian delete'). 4. Sanitization: No sanitization or safety checks are performed on the data retrieved from the vault before the agent processes it.
Recommendations
- AI detected serious security threats
Audit Metadata