obsidian-devtools
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The tool
obsidian_evalenables the execution of arbitrary JavaScript within the Obsidian application context. Because Obsidian is an Electron-based app, this allows the agent to interact with the local file system and internal application data via theapp.vaultand other Obsidian APIs. - [REMOTE_CODE_EXECUTION] (HIGH): The
expressionparameter inobsidian_evalallows for unconstrained code execution. If an agent is influenced to run malicious code, it has the same permissions as the Obsidian application on the host machine. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill possesses a dangerous combination of data ingestion and high-privilege execution capabilities.
- Ingestion points:
obsidian_inspect_dom(reads UI content including note text) andobsidian_read_console(reads logs). - Boundary markers: Absent. The skill does not provide any delimiters or instructions to help the agent distinguish between data and commands.
- Capability inventory:
obsidian_eval(JS execution),obsidian_launch_debug(process management). - Sanitization: None. The skill treats all data from the Obsidian environment as trusted, meaning a malicious note could contain instructions that trick the agent into executing harmful JS via
obsidian_eval. - [DATA_EXFILTRATION] (MEDIUM): The tools are specifically designed to inspect the application state, which includes reading vault names, file paths, and metadata. This exposes sensitive personal information that an agent could then extract or transmit.
Recommendations
- AI detected serious security threats
Audit Metadata