Is benoitjadinon/obsidian-plugin-tasknotes safe?

https://github.com/openclaw/skills/tree/main/skills/benoitjadinon/obsidian-plugin-tasknotes

90
SAFE

The benoitjadinon/obsidian-plugin-tasknotes skill is a legitimate, well-scoped Obsidian task management integration. It communicates exclusively with a localhost HTTP API, contains no prompt injection vectors, performs no credential exfiltration, and left all canary files intact during monitored installation. The primary concern is a hardcoded 4-level path traversal to locate the vault root .env file, which may resolve to unexpected directories depending on installation layout, though all data from that file is used only for local API authentication and never transmitted externally.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

LOW Vault root detection uses fixed 4-level path traversal -13

VAULT_ROOT is computed as Path(file).parent.parent.parent.parent, hardcoding the assumption that the script lives exactly 4 directory levels below the Obsidian vault root. If installed at a shallower or deeper path, VAULT_ROOT resolves to an unexpected directory (e.g., /home/ or / in the sandbox environment). load_dotenv() will silently succeed or fail depending on whether a .env exists there, potentially loading environment variables from an unintended location.

LOW --details flag writes arbitrary text into vault markdown files -7

The update and create commands accept a --details argument that is written directly to the body of a task's markdown file in the Obsidian vault via the TaskNotes API. An LLM agent acting on user instructions could be prompted to write attacker-controlled content into vault files, potentially injecting Obsidian transclusions, wikilinks, or malformed frontmatter that affects other vault-integrated tools.

INFO uv inline script dependencies fetched from PyPI on first execution -8

The script uses uv run --script with PEP 723 inline metadata declaring requests and python-dotenv as dependencies. On first run uv will resolve and download these packages from PyPI. This is standard uv behavior and the packages are well-known, but it introduces a network dependency at runtime.

INFO Stale developer lock.json shipped in repo -3

.clawhub/lock.json in the skill directory references academic-research-hub v0.1.0 (installedAt: 1770957475341), indicating this file was committed from a developer's local ClawHub installation rather than being generated fresh for this skill. No security impact but indicates incomplete artifact hygiene.