obsidian-cli
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill features the
obsidian evalcommand, which allows for the execution of arbitrary JavaScript code strings within the Obsidian application context. While documented for plugin development, this provides a vector for dynamic code execution. - [PROMPT_INJECTION]: The skill handles untrusted data from Obsidian vault files, creating a surface for indirect prompt injection.
- Ingestion points: Data enters the agent context through file-reading commands such as
obsidian read,obsidian search, andobsidian properties. - Boundary markers: The instructions do not define delimiters or specific constraints to prevent the agent from interpreting note content as instructions.
- Capability inventory: The skill includes extensive file modification capabilities (create, append, move, delete) and JavaScript execution (eval) that could be leveraged by malicious content in a vault.
- Sanitization: There is no evidence of content sanitization or validation for the data retrieved from the vault files.
- [SAFE]: The skill references documentation hosted on the official GitHub repository for Obsidian (
obsidianmd), which is a well-known and trusted source.
Audit Metadata