obsidian-cli
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: The
obsidian eval code="..."command allows the execution of arbitrary JavaScript within the Obsidian application context (accessing theappobject). This can be used to perform any action the application is capable of, including reading sensitive files or making unauthorized network requests. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill includes diagnostic commands like
obsidian dev:screenshot,obsidian dev:console, andobsidian dev:dom. These commands can be used to capture the visual state of the application, internal logs, and the DOM structure, all of which may contain sensitive user information or secrets. - [INDIRECT_PROMPT_INJECTION]: The skill creates a significant attack surface by reading untrusted data from the user's vault.
- Ingestion points: Note content read via
obsidian readorobsidian daily:read, and search results fromobsidian search. - Boundary markers: No delimiters or instructions are used to distinguish note content from system instructions.
- Capability inventory: The agent can execute arbitrary code (
eval), modify files (create,append), and capture application state (screenshot,console). - Sanitization: There is no evidence of sanitization or filtering of note content before it is processed by the agent.
- [METADATA_POISONING]: The skill references
https://help.obsidian.md/clias an official documentation source, but this URL is not a standard part of the official Obsidian documentation, which may lead to a false sense of security regarding the 'obsidian' CLI tool's origin and safety. - [COMMAND_EXECUTION]: The skill relies on an external CLI tool (
obsidian) to perform all actions, which executes commands on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata