Trust Assessment
obsidian-tasks received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Path Traversal via '--folder' argument allows writing to arbitrary locations, Data Exfiltration via Dataview query path traversal in Dashboard.md, Unpinned 'npx clawhub@latest' dependency in publish script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal via '--folder' argument allows writing to arbitrary locations The `scripts/setup.py` script uses `os.path.join(vault, args.folder)` to construct the target directory for creating `Board.md` and `Dashboard.md`. If the `args.folder` input (provided by the user via the `--folder` command-line argument) contains path traversal sequences (e.g., `../`), an attacker can cause the script to create directories and write files to arbitrary locations outside the intended `vault_path`. For example, providing `--folder ../.ssh` could lead to the creation of `.ssh/Board.md` in the user's home directory, potentially overwriting or exposing sensitive files. Sanitize the `args.folder` input to prevent path traversal. Ensure it does not contain `..` or `/` characters, or use `os.path.normpath` and validate that the resulting path remains strictly within the intended `vault_path` before creating directories or writing files. A simpler approach might be to restrict `args.folder` to be a single, simple directory name without path separators. | LLM | scripts/setup.py:40 | |
| HIGH | Data Exfiltration via Dataview query path traversal in Dashboard.md The `create_dashboard` function in `scripts/setup.py` embeds the `tasks_folder` (derived directly from the user-provided `args.folder`) into Dataview queries within the generated `Dashboard.md`. If `args.folder` contains path traversal sequences (e.g., `../../sensitive_data`), the resulting Dataview queries will attempt to read data from unintended directories relative to the Obsidian vault root. When the `Dashboard.md` is opened in Obsidian, this could lead to the display of sensitive information from outside the designated tasks folder, effectively exfiltrating data within the Obsidian environment. Sanitize the `args.folder` input to prevent path traversal. Ensure it does not contain `..` or `/` characters. The `tasks_folder` should be a simple, validated folder name, or its path should be normalized and validated to be strictly within the vault's boundaries before being used in the Dataview queries. | LLM | scripts/setup.py:43 | |
| MEDIUM | Unpinned 'npx clawhub@latest' dependency in publish script The `scripts/publish_clawhub.sh` script uses `npx -y clawhub@latest` to publish the skill. Relying on the `latest` tag means that any future version of the `clawhub` CLI tool, which could potentially introduce breaking changes, vulnerabilities, or malicious code, would be executed without explicit review. This introduces a supply chain risk as the integrity and behavior of the publishing process are not guaranteed to remain consistent across different executions. Pin the `clawhub` dependency to a specific version (e.g., `npx -y clawhub@1.2.3`). This ensures that the exact version of the tool is used, providing reproducibility and reducing the risk of unexpected changes or vulnerabilities introduced in newer versions. | LLM | scripts/publish_clawhub.sh:19 | |
| LOW | Potential Command Injection via user-provided arguments in publish script The `scripts/publish_clawhub.sh` script passes user-provided `$VERSION` and `$CHANGELOG` arguments directly to the `npx clawhub publish` command. While these arguments are double-quoted (`"$VERSION"`, `"$CHANGELOG"`), which mitigates basic shell injection by preventing word splitting and globbing, a sophisticated attacker could craft these values to exploit vulnerabilities in the `clawhub` CLI tool itself, or if `clawhub` were to internally execute these arguments in a sub-shell without proper sanitization. This is a theoretical risk, but it's best practice to sanitize all user-controlled inputs before passing them to external commands. Implement input validation for `$VERSION` and `$CHANGELOG` to ensure they conform to expected formats (e.g., semantic versioning for `VERSION`, plain text for `CHANGELOG`) and do not contain any shell metacharacters or other potentially malicious content. This adds a layer of defense even if the external tool is assumed to be safe. | LLM | scripts/publish_clawhub.sh:25 |
Scan History
Embed Code
[](https://skillshield.io/report/95cde9648a65df90)
Powered by SkillShield