AgentReadyHomeAgent Listing

← bitbonsai/mcp-obsidian

bitbonsai/mcp-obsidian — agentic threat model

8.4AIVSS 8.4 · High

This agent acts as a direct bridge between LLMs and a user's local file system via Obsidian, presenting a high-risk vector for local data exfiltration, modification, or arbitrary file manipulation if malicious prompts are processed.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.8AARS uplift 1.09Factor sum 4.7/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.50
Contextual Awareness
0.70
Dynamic Identity
0.20
Multi-Agent Interactions
0.30
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the server is client-agnostic and relies on external models (Claude, ChatGPT). The primary threat is prompt injection via malicious note content that hijacks the model's tool-calling capabilities.

L2 · Data Operations✓ mapped

Direct read/write access to local Obsidian vaults. Threats include unauthorized data exfiltration of sensitive personal notes, knowledge-base poisoning via malicious file writes, and directory traversal if path validation is weak.

L3 · Agent Frameworks✓ mapped

Exposes 11 methods for search, batch operations, and tag/frontmatter handling. Threat of tool misuse is high if an LLM is tricked into executing destructive batch deletes or mass modifications of local files.

L4 · Deployment & Infrastructure✓ mapped

Runs locally as an MCP server. The primary threat is local privilege escalation or unauthorized file system access if the host environment does not properly sandbox the node/python process running the server.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in logging, audit trails, or guardrails to monitor and intercept destructive file operations before they are executed on the local disk.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

The listing claims 'safe read/write access' but does not detail authentication, authorization, or user-confirmation prompts (Human-in-the-Loop) before executing destructive file modifications.

L7 · Agent Ecosystem✓ mapped

Designed to integrate with any MCP client. If chained with other agents in a multi-agent workflow, a compromised upstream agent could abuse this tool to read or corrupt the user's entire personal knowledge base.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).