obsidian-frontmatter-sync

SUSPICIOUS. The skill’s capabilities are coherent with frontmatter synchronization and local media copying, and there is no clear credential theft or exfiltration path. However, the core risk is supply-chain trust: it instructs installation of an external CLI package (`rematter`) whose official publisher/source could not be verified from the evidence, and the install is unpinned. That makes the skill medium-to-high risk even though its stated behavior is otherwise proportionate and local-only.