Back to skill

Security audit

Obsidian

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Obsidian note-management skill with disclosed local vault access and a disclosed third-party CLI dependency.

Install only if you trust the yakitrak Homebrew tap and are comfortable letting the agent read your Obsidian vault configuration and user-directed note contents. Confirm paths carefully before move or delete operations, especially in important vaults.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly documents a destructive delete command without any caution, confirmation guidance, backup advice, or safer alternatives. In the context of an agent skill that may be used to automate note management, this increases the risk of accidental or overly broad data loss if an agent or user invokes deletion on the wrong path or vault.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.