obsidian-cli
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
evalcommand allows for the execution of arbitrary JavaScript within the Obsidian application context. This provides full access to the internal Obsidian API (includingapp.vaultandapp.workspace), enabling arbitrary code to be run with the privileges of the desktop application. Evidence:SKILL.mdandcommand-reference.mdDeveloper sections. - [EXTERNAL_DOWNLOADS]: The
plugin:installandtheme:installsubcommands facilitate the downloading and activation of third-party code from community repositories. These extensions run within the Obsidian environment with full access to the vault. Evidence:SKILL.mdPlugins and Themes sections. - [COMMAND_EXECUTION]: The skill exposes a wide range of file system operations, including creating, moving, and deleting files and folders within the vault. It also allows executing any registered Obsidian command via the
command id=parameter. Evidence:SKILL.mdFiles and Commands sections. - [DATA_EXFILTRATION]: The skill enables reading any markdown file in the vault, searching through all notes, and capturing screenshots of the application window via
dev:screenshot. This provides a significant surface for the exposure of sensitive information stored in the vault. Evidence:SKILL.mdRead, Search, and Developer sections. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its ability to ingest untrusted data from the vault. Ingestion points:
read,daily:read,search,search:context,property:read. Boundary markers: None present in instructions. Capability inventory:eval,plugin:install,delete,create,command. Sanitization: None present.
Recommendations
- AI detected serious security threats
Audit Metadata