MCPVet
Low
github · 18 files analyzed
MarkusPfundstein/mcp-obsidian
Minor capabilities, nothing alarming.
View source ↗Outbound network 6
Environment variables (config / keys) 4
AI review
This extension is a legitimate MCP server for interacting with Obsidian via its Local REST API. It reads the API key from environment variables and makes HTTP requests to a local Obsidian instance, which is expected behavior. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.
- low Environment variable usage for API key — The extension reads OBSIDIAN_API_KEY from environment variables, which is standard and necessary for authenticating with the Obsidian REST API. The key is only sent to the local Obsidian instance, not to any external service.
- low Network requests to localhost only — All HTTP requests are made to the local Obsidian REST API (default host 127.0.0.1, port 27124). No external network calls are made, so there is no risk of data exfiltration.
Model: deepseek-chat
Static findings
Outbound network · Makes outbound network requests
low
src/mcp_obsidian/obsidian.py:59
response = requests.get(url, headers=self._get_headers(), verify=self.verify_ssl, timeout=self.timeout)
info
tests/test_get_frontmatter.py:30
with patch("mcp_obsidian.obsidian.requests.get", return_value=_note_json_response()) as mock_get:
info
tests/test_obsidian_put_content.py:21
with patch("mcp_obsidian.obsidian.requests.put", return_value=_ok_response()) as mock_put, \
info
tests/test_obsidian_requests.py:89
with patch("mcp_obsidian.obsidian.requests.get", return_value=_json_response({"files": ["a.md"]})) as mock_get:
info
tests/test_obsidian_utf8.py:23
with patch("mcp_obsidian.obsidian.requests.post", return_value=_ok_response()) as mock_post:
info
tests/test_search_by_tag.py:23
with patch("mcp_obsidian.obsidian.requests.post", return_value=resp) as mock_post:
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/mcp_obsidian/obsidian.py:11
protocol: str = os.getenv('OBSIDIAN_PROTOCOL', 'https').lower(),
low
src/mcp_obsidian/server.py:26
api_key = os.getenv("OBSIDIAN_API_KEY")
low
src/mcp_obsidian/tools.py:12
api_key = os.getenv("OBSIDIAN_API_KEY", "")
info
tests/conftest.py:4
os.environ.setdefault("OBSIDIAN_API_KEY", "test-key")
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.