mcp-obsidian — agentic threat model
The mcp-obsidian agent presents a high-risk profile due to direct filesystem read/write access to user vaults, making it highly vulnerable to prompt injection attacks that could exfiltrate or destroy personal data.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on external LLMs via the MCP host; threats include indirect prompt injection where malicious instructions stored in Markdown notes hijack the model's execution flow.
Directly accesses local Markdown files within a designated vault. Risks include data exfiltration of sensitive personal notes, unauthorized modification of files, and knowledge-base poisoning via malicious note creation.
Exposes filesystem tools (read, write, edit, search) to the orchestrating LLM. Vulnerable to tool misuse where the LLM is tricked into overwriting critical files or traversing directories outside the intended vault if path sanitization is weak.
Runs locally as an MCP server. Security depends entirely on the host application's sandboxing; if unconstrained, a compromised agent could access other parts of the host filesystem beyond the OBSIDIAN_VAULT path.
Not certain from the listing — There is no mention of built-in logging, guardrails, or run-time monitoring to detect anomalous file modifications or unauthorized search queries.
Lacks built-in authentication or authorization mechanisms; any client capable of connecting to the MCP server inherits full read/write permissions to the configured vault.
As an MCP tool, it can be chained with other agents. A compromised orchestrator or upstream agent could abuse this tool to systematically search for and exfiltrate credentials or sensitive personal data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).