obsidian-cli
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides an
obsidian evalcommand which allows the agent to execute arbitrary JavaScript code within the context of the running Obsidian application. This feature, while intended for plugin development, provides a direct path for executing unverified code logic within the user's environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through data it processes from the user's vault.
- Ingestion points: The agent reads untrusted data via
obsidian read,obsidian search,obsidian daily:read, andobsidian dev:console(SKILL.md). - Boundary markers: There are no delimiters or explicit instructions to ignore embedded commands within the vault data.
- Capability inventory: The skill can create or modify files, set properties, and execute arbitrary JavaScript (
obsidian eval). - Sanitization: No sanitization or content validation is performed on data retrieved from the vault before it is processed by the agent.
- [DATA_EXFILTRATION]: The skill exposes a significant amount of sensitive information from the user's vault, including the ability to read all notes, retrieve console logs, and take screenshots of the application via
obsidian dev:screenshot. Without strict controls, this data could be accessed or processed unexpectedly.
Audit Metadata