obsidian-bases — agentic threat model
The obsidian-bases skill presents moderate risk primarily centered on local file system integrity, as it reads and writes YAML configuration files within an Obsidian vault, potentially exposing local notes to corruption or unauthorized modification if manipulated via prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific foundation model driving this skill is not disclosed. Standard LLM risks apply, where adversarial prompt injection could force the model to generate malformed YAML or inject malicious formulas into the database views.
The agent operates directly on local data by reading and writing .base YAML files and vault notes. Risks include unauthorized reading of sensitive vault notes, data corruption during write operations, or parsing poisoned markdown files that manipulate the agent's output.
The orchestration framework is responsible for executing file read/write operations. If the tool integration lacks strict path validation, it could be vulnerable to directory traversal, allowing the agent to read or overwrite files outside the designated Obsidian vault.
Not certain from the listing — The deployment context (whether running locally as an Obsidian plugin or hosted in a cloud environment accessing a synced vault) is unspecified, which dictates the severity of host compromise and privilege escalation risks.
Not certain from the listing — There is no mention of logging, guardrails, or evaluation mechanisms to monitor the agent's file-writing activities or detect anomalous file modifications.
Not certain from the listing — The listing does not detail any authentication, authorization, or policy enforcement controls, suggesting it inherits the security posture and permissions of the host Obsidian application.
As an 'Agent Skill', this component is designed to be integrated into larger agentic workflows. A compromised parent agent could abuse this skill to silently exfiltrate vault data or modify database configurations to disrupt user workflows.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).