obsidian

SUSPICIOUS: the skill’s local note-management behavior is broadly aligned with its purpose, but the trust chain is inconsistent because it presents as an Obsidian skill while installing a third-party CLI from an unrelated publisher instead of Obsidian’s official CLI path. Risk is driven by supply-chain ambiguity, not confirmed malicious behavior or exfiltration.