registry  /  kobsidian-mcp  /  0.3.4

kobsidian-mcp@0.3.4

TypeScript MCP server for Obsidian with a filesystem-first LLM Wiki layer, Dataview / Canvas / Kanban / Mermaid / Marp / Templates tools, and both stdio and Streamable HTTP transports.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.70 MB of source, external domains: 127.0.0.1, arxiv.org, github.com, json-schema.org, raw.githubusercontent.com, registry.npmjs.org
Oversized source lightweight scan
dist/server/stdio.js2.01 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsarxiv.orgraw.githubusercontent.com

Source & flagged code

4 flagged · loading source
dist/server/http.jsView file
1226var names = { L1227: data: new codegen_1.Name("data"), L1228: valCxt: new codegen_1.Name("valCxt"), ... L2213: id = normalizeId(id); L2214: return resolver.resolve(baseId, id); L2215: } ... L3058: for (i = 0;i < input.length; i++) { L3059: code = input[i].charCodeAt(0); L3060: if (code === 48) { ... L7850: if (ast.body[0].expression.body.type === "BlockStatement") { L7851: return new Function(params, source.slice(body[0] + 1, body[1] - 1)); L7852: }
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/server/http.jsView on unpkg · L1226
7850if (ast.body[0].expression.body.type === "BlockStatement") { L7851: return new Function(params, source.slice(body[0] + 1, body[1] - 1)); L7852: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server/http.jsView on unpkg · L7850
dist/server/stdio.jsView file
path = dist/server/stdio.js kind = oversized_source_file sizeBytes = 2102531 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/server/stdio.jsView on unpkg
path = dist/server/stdio.js kind = oversized_cli_entrypoint sizeBytes = 2102531 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/server/stdio.jsView on unpkg

Findings

2 High4 Medium6 Low
HighObfuscated Payload Loaderdist/server/http.js
HighOversized Source Filedist/server/stdio.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/server/stdio.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/server/http.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings