obsidian-helper

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's MCP configuration instructs launching "npx -y mcp-obsidian" (https://www.npmjs.com/package/mcp-obsidian), which will fetch and execute remote npm package code at runtime and is listed as a required MCP dependency, so it represents a runtime external dependency that can execute remote code.