Trust Assessment
obsidian-bases received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Cross-Site Scripting (XSS) and Data Exfiltration via `html()` function, Access to arbitrary file properties and paths enabling data exfiltration.
The analysis covered 4 layers: dependency_graph, manifest_analysis, static_code_analysis, llm_behavioral_safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Cross-Site Scripting (XSS) and Data Exfiltration via `html()` function The skill documentation describes an `html(string): html` function which explicitly states it will "Render as HTML". If an LLM is prompted by a malicious user to generate a `.base` file where untrusted input is passed to this function, and the rendering environment (Obsidian) does not adequately sanitize the HTML, it could lead to Cross-Site Scripting (XSS) or arbitrary content injection. This could be used to exfiltrate sensitive data (e.g., via `<img>` tags with external URLs, or JavaScript) or execute malicious scripts within the Obsidian application. This capability, when exposed to an LLM, creates a high risk if the LLM is not robustly guarded against generating malicious payloads. Implement strict input validation and sanitization for any user-provided strings that might be passed to the `html()` function by the LLM. The LLM should be explicitly instructed and guarded against generating arbitrary HTML. The rendering application (Obsidian) should also implement robust HTML sanitization to mitigate XSS risks. | Unknown | SKILL.md:140 | |
| MEDIUM | Access to arbitrary file properties and paths enabling data exfiltration The skill documentation describes `file.properties` which exposes "All frontmatter properties" of a note, and the `file(path)` function which allows referencing arbitrary files by their path. If an LLM is prompted by a malicious user to generate a `.base` file that accesses and displays sensitive information from frontmatter of arbitrary files within the Obsidian vault (e.g., `file("secrets.md").properties.api_key`), this could lead to data exfiltration within the Obsidian UI. This capability, when exposed to an LLM, creates a risk if the LLM is not robustly guarded against generating payloads that expose sensitive data from arbitrary files. The LLM should be explicitly instructed and guarded against generating `.base` files that attempt to access or display sensitive `file.properties` from arbitrary or user-specified file paths. Access control mechanisms should be considered for `.base` files or the underlying Obsidian plugin to restrict access to sensitive file properties. | Unknown | SKILL.md:90 |
Scan History
Embed Code
[](https://skillshield.io/report/4faf580e3d29e608)
Powered by SkillShield