How does this skill help protect Obsidian vault data?

It implements strict path traversal checks to prevent plugins from accessing files outside their scope and ensures that any data leaving the vault is explicitly authorized by the user.

Is this skill aligned with official Obsidian guidelines?

Yes, the patterns are designed to follow Obsidian's official plugin development security recommendations and industry-standard OWASP principles.

Can I use this for plugins that require private API keys?

Yes, it includes specific patterns for building secure settings tabs that mask sensitive inputs and ensure credentials are never hardcoded or leaked in debug logs.

Does it provide protection against Cross-Site Scripting (XSS)?

The skill provides guidance on sanitizing HTML content and implementing secure Content Security Policies (CSP) for custom views and iframes within Obsidian.

Does it handle secure logging?

It includes a utility for redacting sensitive keys like 'password', 'token', and 'apiKey' from objects before they are passed to console logs or error reports.

Obsidian Plugin Security Basics

Name: Obsidian Plugin Security Basics
Author: jeremylongshore

byjeremylongshore

•

1,243

Security & Testing

Implements industry-standard security practices and data protection patterns for Obsidian plugin development.

About

This skill provides a comprehensive framework for building secure Obsidian plugins, focusing on protecting user vault data and sensitive information. It guides developers through implementing secure settings storage for API keys, robust input validation to prevent path traversal and XSS, and safe HTTP communication patterns. By using this skill, developers can ensure their plugins adhere to privacy-first principles, handle external data sharing with user consent, and avoid common security pitfalls like hardcoded secrets or excessive logging of sensitive data.

Key Features

Permission-based workflows for explicit user consent during data sharing
Secure settings storage with masked API key inputs and UI toggles
Sensitive data redaction patterns for secure error logging and auditing
Robust input validation for path traversal, URL sanitization, and HTML safety
1,243 GitHub stars
Safe HTTP client implementation using Obsidian's internal request modules

Use Cases

Developing an Obsidian plugin that integrates with a 3rd-party API using a secret token
Implementing user consent prompts before transmitting vault contents to external services
Validating file paths when programmatically creating or modifying files within a user's vault

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add jeremylongshore/claude-code-plugins-plus-skills obsidian-security-basics

For use in Claude.ai and ChatGPT

Download Skill

GitHub