obsidian-developer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The tool
obsidian_evalallows for arbitrary JavaScript execution within the Obsidian application context. Evidence is found inSKILL.mdandknowledge/cdp-protocol.md. This capability allows for the reading, modification, and potential deletion of user data within the vault via theapp.vaultAPI. - REMOTE_CODE_EXECUTION (HIGH): The skill architecture is built on the Chrome DevTools Protocol (CDP) to execute logic remotely. Evidence in
knowledge/cdp-protocol.mdandknowledge/sdk-reference.mdconfirms the use ofRuntime.evaluateto execute instructions sent from the agent. - PROMPT_INJECTION (HIGH): The skill possesses a high risk of indirect prompt injection due to its design to process untrusted data. Evidence:
- Ingestion points: Vault content is read via
app.vault.read()(knowledge/api-basics.md) andsdk.read_file()(knowledge/sdk-reference.md). - Boundary markers: None are present in instructions to distinguish vault data from instructions.
- Capability inventory: Access to
obsidian_eval,app.vault.modify,app.vault.create, andobsidian_update_frontmatteracross multiple files provides high-privilege write and execute functions. - Sanitization: No evidence of sanitizing or escaping external markdown content before it is processed by the agent.
- DATA_EXFILTRATION (MEDIUM): The combination of vault-wide read access (
app.vault.getFiles) and the availability of standard browser APIs (such asfetch) within the Obsidian context enables the potential exfiltration of sensitive personal knowledge base data.
Recommendations
- AI detected serious security threats
Audit Metadata