obsidian

SUSPICIOUS. The skill's actual footprint does not match its stated Obsidian purpose: it is a generic third-party AI gateway skill with broad model access plus email/SMS actions. The main security issue is data-flow integrity: prompts, files, phone numbers, and the API credential all flow to api.heybossai.com rather than to the official provider endpoints it claims to abstract. No install chain or obfuscation is present, so this is not confirmed malware, but the purpose-capability mismatch, intermediary routing, and autonomous messaging capabilities make it a high-risk skill.