obsidian-cli — agentic threat model
The obsidian-cli agent presents a high-risk profile due to its ability to execute arbitrary JavaScript and run CLI commands on the host system, creating a direct path to local host compromise if exploited via prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.50 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify the underlying LLM used to drive this CLI skill. Standard LLM risks like prompt injection could lead to arbitrary CLI command execution or malicious JS execution.
The agent directly reads, writes, and searches local Obsidian vaults. Threats include local data exfiltration, markdown/metadata injection, and unauthorized modification of sensitive personal or knowledge-base files.
High risk of tool misuse and insecure tool integration. The agent can execute arbitrary JavaScript in Obsidian and run CLI commands, which can be abused via prompt injection to execute malicious code or access the local filesystem.
Runs as an external CLI tool on the user's local machine. Threats include host compromise, local privilege escalation, and execution of arbitrary system commands if the CLI is not sandboxed.
Not certain from the listing — The listing does not mention any built-in logging, guardrails, or evaluation frameworks to monitor the execution of CLI commands or JavaScript.
Not certain from the listing — No authentication, authorization policies, or compliance controls are mentioned for restricting which CLI commands or JS scripts can be run.
Not certain from the listing — The listing describes a single-user local CLI skill and does not detail multi-agent coordination or marketplace interactions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).