obsidian-mcp-search — agentic threat model
obsidian-mcp-search poses a high data exposure risk due to its ability to perform semantic search across multiple local Obsidian vaults containing sensitive personal data, though its agentic risk is low due to its read-only nature and lack of autonomous planning.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the agent relies on local embedding backends for semantic search, but the specific foundation models used for generating these embeddings or processing queries are not detailed. Threats include potential adversarial inputs designed to manipulate embedding distances or cause denial of service on the local embedding engine.
The agent directly accesses and indexes multiple local Obsidian vaults to perform semantic search and construct graph context. This creates a high risk of data exfiltration or embedding inversion if unauthorized users gain access to the search endpoints, potentially exposing highly sensitive personal notes.
As an MCP server, it exposes tools for semantic search and graph context retrieval to an orchestrating agent. The primary threat is tool misuse, where an upstream agent is manipulated via prompt injection to query sensitive vaults and leak the retrieved context to external entities.
The application is self-hosted and exposes an HTTP endpoint to serve its web dashboard and MCP interface. If hosted insecurely or bound to public interfaces without proper firewalling, it exposes the host's local file system (where the Obsidian vaults reside) to network-based attacks.
Not certain from the listing — there is no mention of built-in evaluation, logging, or observability guardrails to monitor search queries, detect anomalous data access patterns, or log unauthorized attempts to access specific vaults.
The agent implements a token-guarded web dashboard using the 'MCP_AUTH_TOKEN' environment variable to restrict access. However, there is no mention of fine-grained role-based access control (RBAC) to restrict specific clients to specific vaults or sub-folders.
The agent operates within the Model Context Protocol (MCP) ecosystem, meaning it is designed to be called by other LLM agents. The primary ecosystem threat is cascading trust abuse, where a compromised or rogue agent connects to this server and silently harvests the user's entire knowledge graph.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).