Trust Assessment
obsidian received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 3 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Arbitrary filesystem access via vault path manipulation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ruslanlanket/obsidian-direct/scripts/obsidian_search.py:81 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ruslanlanket/obsidian-direct/scripts/obsidian_search.py:93 | |
| CRITICAL | Arbitrary filesystem access via vault path manipulation The skill allows users to specify the Obsidian vault path via the `--vault` command-line argument or the `OBSIDIAN_VAULT` environment variable. This means an attacker can direct the skill to read from or write to any directory on the filesystem that the agent has permissions for. This can lead to data exfiltration (reading sensitive files) or arbitrary file creation/modification (e.g., overwriting system files, creating malicious scripts or configuration files). Both `obsidian_cli.py` and `obsidian_search.py` are affected. Restrict the `--vault` argument and `OBSIDIAN_VAULT` environment variable to a predefined, safe directory or a set of allowed directories. Implement strict validation to ensure the path is within the intended scope and does not escape a designated sandbox. If the skill is intended to operate on a user-specified vault, ensure the agent's permissions are strictly limited to that vault and its subdirectories, and that the agent runs in a sandboxed environment. | LLM | scripts/obsidian_cli.py:20 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'grep_search'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ruslanlanket/obsidian-direct/scripts/obsidian_search.py:81 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'grep_search'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ruslanlanket/obsidian-direct/scripts/obsidian_search.py:93 | |
| HIGH | Path traversal vulnerability in file operations The `create_note` function constructs a new note's path using `vault / folder / f"{title}.md"`. If the `folder` or `title` arguments (which are user-controlled) contain path traversal sequences (e.g., `../`), an attacker could create files outside the intended Obsidian vault directory. Similarly, the `list_notes` function uses `vault / folder` to determine the search path, potentially allowing an attacker to list files in arbitrary directories outside the vault. This can lead to data exfiltration or unauthorized file modification. Before constructing file paths, sanitize user-provided `folder` and `title` inputs to remove or neutralize path traversal sequences (`../`). Use `Path.resolve()` with `strict=True` on the final path to ensure it remains within the intended vault directory. Alternatively, validate that `folder` and `title` do not contain directory separators or `..` components. | LLM | scripts/obsidian_cli.py:103 |
Scan History
Embed Code
[](https://skillshield.io/report/329d1b37a415e16c)
Powered by SkillShield