obsidian-second-brain

Name: obsidian-second-brain
Author: eugeniughelbur

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill facilitates arbitrary remote code execution via unverified shell scripts, lacks essential security sandboxing, and allows untrusted external content to persistently override agent behavior and exfiltrate sensitive credentials.

ThreatsCI SM CS BC S HITL

Threat Analysis

AI Agent Traps ↗Scanned 6/22/2026

Content InjectionPerception2 findings

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learning2 findings

Behavioural ControlAction8 findings

SystemicMulti-Agent Dynamics2 findings

Human-in-the-LoopHuman Overseerclean

Skill Info

Nameeugeniughelbur/obsidian-second-brain

Registrygithub

Version9930ebfdb7c5

PURLpkg:github/eugeniughelbur/obsidian-second-brain@9930ebfdb7c5

Stars2,597

Source

Repository ↗SKILL.md ↗

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

Skills.shDocs

npx skills add https://github.com/eugeniughelbur/obsidian-second-brain

Assessments (7)

AI Agent Traps ↗

Description Mismatchcriticaldescription mismatchAML.T0011.000LLM06:2025LLM09:2025

The skill documentation promotes the use of `curl | bash` for installation and includes instructions for setting up background hooks that execute arbitrary shell scripts, which contradicts the security-conscious nature of an 'AI-first' knowledge base.

85% confidence

The 'Bootstrap a new vault' section explicitly instructs users to pipe a remote script into bash: `curl -sL https://raw.githubusercontent.com/.../quick-install.sh | bash`.

Remote code download and execution detectedcriticalcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

Remote code download and execution detected

100% confidenceline 75

curl -sL https://raw.githubusercontent.com/eugeniughelbur/obsidian-second-brain/main/scripts/quick-install.sh | bash

Background agent runs with --dangerously-skip-permissionscriticalcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

The PostCompact background agent spawns a headless claude subprocess with --dangerously-skip-permissions, driven by the compaction summary. This removes all permission guardrails from an agent whose prompt is partially derived from potentially attacker-influenced conversation content.

91% confidenceline 1206

'Spawns a headless claude --dangerously-skip-permissions -p subprocess in the vault directory'; 'Agent runs silently, propagates updates, and exits - user sees nothing'

A remote resource is downloaded with curl/wget and piped directly into a shell interpreter (optionally via sudo). The downloaded script runs with no integrity check (no checksum/signature), so a compromised server, MITM, or hijacked URL leads to arbitrary code execution. Download to a file, verify it (e.g. sha256sum -c against a pinned digest, or a signature), then execute it.criticalvulnAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

95% confidenceline 2

curl -sL https://raw.githubusercontent.com/eugeniughelbur/obsidian-second-brain/main/scripts/quick-install.sh | bash

Over-privileged background agent executionhighautonomy abuseAML.T0034.002AML.T0053LLM06:2025LLM10:2025

The skill configures a background agent that runs autonomously after context compaction, potentially performing unauthorized file modifications without direct user oversight.

85% confidenceline 1198

A background agent that fires automatically whenever Claude compacts the conversation context.

Unrestricted shell execution via hookshighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

The skill provides instructions to wire shell scripts into Claude's hook system, granting the skill persistent, automated execution capabilities outside of the user's immediate interaction loop.

90% confidenceline 1234

"command": "/Users/you/.claude/skills/obsidian-second-brain/hooks/obsidian-bg-agent.sh"

Third-party credential custody via ~/.config env filemediumcredential theftAML.T0055AML.T0037LLM02:2025

API keys for xAI Grok, Perplexity, YouTube, and OpenAI are stored in ~/.config/obsidian-second-brain/.env and loaded by research scripts. These scripts are executed via uv run against an external package ecosystem, meaning a compromised or supply-chain-attacked dependency could read and exfiltrate these credentials.

72% confidence

'API keys live at ~/.config/obsidian-second-brain/.env. Run install.sh and answer y to the research toolkit prompt'; 'uv run -m scripts.research.x_read', 'uv run -m scripts.research.research'

Data exfiltration risk via research toolsmediumdata exfiltrationAML.T0025AML.T0024LLM02:2025

The research toolkit sends vault content and user queries to external services (Perplexity, Grok, NotebookLM) without explicit per-request confirmation, posing a risk of sensitive data exposure.

75% confidenceline 14

Includes a research toolkit (7 commands: /x-read, /x-pulse, /research, /research-deep, /notebooklm, /youtube, /podcast)

Implicit tool shadowing via instructionmediumtool shadowing

The skill instructs the agent to prefer its own slash commands and custom logic over built-in MCP tools or standard file operations, effectively overriding the platform's intended tool usage patterns.

90% confidenceline 45

If MCP is not installed, silently use filesystem access. Tell the user ONCE (first time only)...

Indirect prompt injection via ingested external contenthighindirect prompt injection

The /obsidian-ingest command fetches arbitrary URLs and pasted text, extracts entities and claims, and then uses that content to drive vault writes and subagent spawning. An attacker-controlled webpage or document could embed instructions that the agent treats as authoritative vault rules, especially since _CLAUDE.md content 'overrides the defaults in this skill'.

88% confidence

'/obsidian-ingest': 'Accept a URL, file path, or pasted text as the source... Read or fetch the full source content... Extract: entities, concepts, claims, action items'; '_CLAUDE.md wins on all vault-specific rules'

Indirect prompt injection via external scriptshighindirect prompt injection

The skill encourages the agent to execute remote scripts via curl-to-bash, which can be used to inject arbitrary instructions or malicious payloads into the agent's execution environment.

95% confidenceline 75

curl -sL https://raw.githubusercontent.com/eugeniughelbur/obsidian-second-brain/main/scripts/quick-install.sh | bash

Sub-agent spawning with attacker-influenced promptshighsub agent spawningAML.T0053AML.T0051.001LLM06:2025

Multiple commands (/obsidian-save, /obsidian-recap, /obsidian-health, /obsidian-ingest, /research-deep) spawn parallel subagents whose prompts are constructed from vault content and ingested external sources. Since vault content can include attacker-controlled data (ingested URLs, pasted text, X posts), a malicious source could inject instructions into the subagent prompt chain.

82% confidence

'/obsidian-ingest': 'Spawn parallel subagents to distribute knowledge'; '/research-deep': 'Emits a JSON propagation payload... Calling Claude reads that payload and runs /obsidian-save-style propagation: spawns parallel subagents'

Autonomy abuse via scheduled headless agentsmediumautonomy abuseAML.T0034.002AML.T0053LLM06:2025LLM10:2025

Four scheduled agents (morning, nightly, weekly, health-check) run autonomously with no user interaction, with the nightly agent performing reconciliation, synthesis, and vault-wide rewrites. The nightly prompt explicitly instructs the agent to 'auto-resolve clear winners' in contradictions, making irreversible knowledge changes without human review.

77% confidence

'obsidian-nightly': 'Auto-resolve clear winners. Flag ambiguous ones in wiki/decisions/'; 'Do not ask questions. Do not fix anything destructive — only add, update, link. Save and stop.'

_CLAUDE.md override enables persistent instruction injectionhighmemory poisoningAML.T0020AML.T0070LLM04:2025LLM08:2025

The skill grants _CLAUDE.md unconditional precedence over all skill defaults, and /obsidian-init auto-generates this file from vault content discovered at runtime. If an attacker can place content in the vault (e.g., via /obsidian-ingest), they can influence the generated _CLAUDE.md, which then persistently overrides agent behavior across all future sessions.

78% confidence

'_CLAUDE.md wins on all vault-specific rules... Never let skill defaults override an explicit _CLAUDE.md rule'; '/obsidian-init': 'Generate a complete _CLAUDE.md... filled with real values from the vault'

Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinningmediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning

100% confidenceline 47

npx -y

Missing allowed-tools declarationlowunauthorized tool use

Skill executes commands, writes files, or accesses the network but declares no allowed-tools, so its tool surface cannot be reviewed or constrained.

90% confidence

Undeclared network usagelowunauthorized tool use

Skill contains network access patterns (HTTP requests, socket connections) without declaring network capability in allowed-tools.

60% confidence

Referenced file missing from skill packagelowpolicy violation

SKILL.md links to "hooks/validate-ai-first.hook.yaml" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime

90% confidence

[`hooks/validate-ai-first.hook.yaml`](hooks/validate-ai-first.hook.yaml)

Referenced file missing from skill packagelowpolicy violation

SKILL.md links to "references/ai-first-rules.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime

90% confidence

[`references/ai-first-rules.md`](references/ai-first-rules.md)

Missing licenseinfopolicy violation

Skill does not specify a license field. Specifying a license helps users understand usage terms.

100% confidence

Missing or insufficient descriptioninfopolicy violation

Skill description is empty or too short. A clear description helps users evaluate the skill's purpose.

100% confidence

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/eugeniughelbur/obsidian-second-brain.svg)](https://mondoo.com/ai-agent-security/skills/github/eugeniughelbur/obsidian-second-brain)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/eugeniughelbur/obsidian-second-brain"><img src="https://mondoo.com/ai-agent-security/api/badge/github/eugeniughelbur/obsidian-second-brain.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/eugeniughelbur/obsidian-second-brain.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow