obsidian-plugin
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill clones a project template from a third-party GitHub repository (davidvkimball/obsidian-sample-plugin-plus) that is not affiliated with the skill author or a trusted organization.
- [REMOTE_CODE_EXECUTION]: The setup process involves running 'pnpm install' and executing custom scripts from the downloaded repository ('./scripts/setup-ref-links.sh' and 'pnpm obsidian-dev-skills'), which allows for the execution of code from an external source.
- [COMMAND_EXECUTION]: The skill utilizes system commands to manipulate files and directories, including 'rm -rf', 'cp', and 'ln -s' to link project files into the Obsidian application folder.
- [DATA_EXFILTRATION]: The skill accesses the local Obsidian plugin directory (~/.obsidian/plugins/), posing a risk of exposure for private vault data if malicious logic is introduced through the unverified template.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes external template files and user-defined configuration files without explicit sanitization.
- Ingestion points: manifest.json, package.json, src/main.ts, and local reference markdown files.
- Boundary markers: No delimiters or instructions to ignore embedded commands are present in the prompt templates.
- Capability inventory: File system access (rm, cp, ln), subprocess execution (pnpm, git, gh), and shell script execution.
- Sanitization: No validation or escaping of content from the external template is performed before processing.
Audit Metadata