Oathe Security Badge

Is bastos/obsidian-daily safe?

https://github.com/openclaw/skills/tree/main/skills/bastos/obsidian-daily

88
SAFE

The bastos/obsidian-daily skill is a legitimate Obsidian Daily Notes assistant with no malicious code, prompt injection instructions, or data exfiltration mechanisms. The primary concern is a published SKILL.md containing unresolved git merge conflict markers in the YAML frontmatter, indicating a broken release process and version inconsistency (1.2.1 vs 2.0). The canary file accesses observed during monitoring are attributable to the Oathe audit framework itself, not the skill. The skill's inherent vault read access creates a secondary prompt injection surface if malicious notes are present in the user's vault.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

MEDIUM Unresolved git merge conflict markers in SKILL.md frontmatter -22

The published SKILL.md contains raw git merge conflict syntax (<<<<<<< Updated upstream / >>>>>>> Stashed changes) inside the YAML frontmatter block. This will cause YAML parsers to fail and will present the conflict markers as literal text to any LLM consuming the skill, potentially confusing metadata parsing or introducing unexpected tokens into the agent's context.

LOW Version metadata inconsistency between _meta.json and SKILL.md -5

_meta.json records the latest version as 1.2.1 while the conflict branch within SKILL.md claims version 2.0. This inconsistency suggests either a failed merge of a major version bump or a metadata tampering event, and undermines confidence in the artifact's provenance.

LOW Vault content read commands expose sensitive note data in agent context -10

The obsidian-cli print and search-content commands will read arbitrary vault file content into the agent's conversation context. If the user's vault contains API keys, passwords, or private information stored in notes, these will become visible to the agent and potentially included in responses.

INFO Second-order prompt injection via vault note content -20

Any skill that reads Obsidian notes and feeds content to an LLM agent is a potential vector for second-order prompt injection: a malicious note left in the vault (by another user, sync, or attacker) could inject instructions when read. This is a systemic risk for all vault-reading skills, not unique to this one.

INFO Canary file accesses attributable to audit framework, not skill -5

Inotify and auditd records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened during the monitoring window. These accesses occur at timestamps before the skill install begins (audit ts 1771907163) and after it completes (ts 1771907189), consistent with the Oathe audit framework's own canary setup and integrity verification routines. The skill contains no executable code that could perform filesystem access at install time.