Skip to content

Security: Strongf-bob/obsidian-ai-agent

Security

SECURITY.md

Security Policy

Secrets

  • Never commit API keys into the repository.
  • Use environment variables (OBSIDIAN_AGENT_API_KEY) or private config files.
  • Rotate keys if a leak is suspected.

LLM data flow

When LLM-backed commands run (topic, ingest-text, inbox-process), the tool sends:

  • Task input (topic/text/inbox excerpts)
  • Note metadata and limited context (frontmatter + headings of relevant notes)
  • Config rules required to generate a valid JSON plan

The full vault is not uploaded automatically, but any data included in prompts can leave your machine if you use a remote API endpoint.

Local models

For fully local processing, use an OpenAI-compatible local server and set base_url to localhost.

Reporting

Report vulnerabilities privately to: karsakovillya@yandex.ru.

There aren't any published security advisories