obsidian-cli
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill features an
evalcommand that allows the execution of arbitrary JavaScript within the context of the running Obsidian application. - Evidence: The command
obsidian eval code="..."provides a direct method to run dynamic code with access to theappobject and internal vault APIs. - [COMMAND_EXECUTION]: The skill functions by invoking a local binary (
obsidian) with various subcommands and parameters to control the application. - Evidence: The skill defines syntax for
obsidian create,obsidian daily:read, andobsidian plugin:reloadto perform system-level operations. - [DATA_EXFILTRATION]: The skill provides capabilities to read file contents, search through the vault, and capture screenshots of the active workspace, facilitating access to private data.
- Evidence: Commands like
obsidian read,obsidian search, andobsidian dev:screenshotallow for the retrieval and potential exposure of sensitive vault information. - [PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection because it ingests untrusted data from the local vault and has powerful execution capabilities.
- Ingestion points: Data is pulled into the agent's context through
obsidian read,obsidian search, and developer log commands inSKILL.md. - Boundary markers: There are no markers or instructions provided to the agent to distinguish between user data and instructions.
- Capability inventory: The skill has access to arbitrary code execution via
evaland file modification capabilities. - Sanitization: No sanitization or validation of vault content is described, allowing malicious notes to potentially influence agent behavior.
Audit Metadata