Trust Assessment
obsidian-bases received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Cross-Site Scripting (XSS) and Data Exfiltration via `html()` function, Access to arbitrary file properties and paths enabling data exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Cross-Site Scripting (XSS) and Data Exfiltration via `html()` function The skill documentation describes an `html(string): html` function which explicitly states it will "Render as HTML". If an LLM is prompted by a malicious user to generate a `.base` file where untrusted input is passed to this function, and the rendering environment (Obsidian) does not adequately sanitize the HTML, it could lead to Cross-Site Scripting (XSS) or arbitrary content injection. This could be used to exfiltrate sensitive data (e.g., via `<img>` tags with external URLs, or JavaScript) or execute malicious scripts within the Obsidian application. This capability, when exposed to an LLM, creates a high risk if the LLM is not robustly guarded against generating malicious payloads. Implement strict input validation and sanitization for any user-provided strings that might be passed to the `html()` function by the LLM. The LLM should be explicitly instructed and guarded against generating arbitrary HTML. The rendering application (Obsidian) should also implement robust HTML sanitization to mitigate XSS risks. | LLM | SKILL.md:140 | |
| MEDIUM | Access to arbitrary file properties and paths enabling data exfiltration The skill documentation describes `file.properties` which exposes "All frontmatter properties" of a note, and the `file(path)` function which allows referencing arbitrary files by their path. If an LLM is prompted by a malicious user to generate a `.base` file that accesses and displays sensitive information from frontmatter of arbitrary files within the Obsidian vault (e.g., `file("secrets.md").properties.api_key`), this could lead to data exfiltration within the Obsidian UI. This capability, when exposed to an LLM, creates a risk if the LLM is not robustly guarded against generating payloads that expose sensitive data from arbitrary files. The LLM should be explicitly instructed and guarded against generating `.base` files that attempt to access or display sensitive `file.properties` from arbitrary or user-specified file paths. Access control mechanisms should be considered for `.base` files or the underlying Obsidian plugin to restrict access to sensitive file properties. | LLM | SKILL.md:90 |
Scan History
Embed Code
[](https://skillshield.io/report/4faf580e3d29e608)
Powered by SkillShield