What is Obsidian? Obsidian is essentially note taking software. The notes are stored in regular files as plain text using a formatting called Markdown. If the basic program does not do everything you want you can download plugins. These are add-on features which provide additional functionality. There are plugins for exporting your notes as a website WebPage Html Export Plugin for Obsidian, a Calendar moving backgrounds Dynamic Background or a Kanban board available which people seem to like for tracking state of their notes lifecycle. There are reportedly hundreds of plugins available for your needs.
Plug-ins in any ecosystem can provided really useful and time saving features. The question is, "are they safe?". There are many considerations. We have to consider how the ecosystem works and if there are any approvals and quality controls or safety checks for getting approved. I will try to dive into what I can find but you will have to make your own calls.
As far as Obsidian goes, there is documentation to Build a plugin. It appears we are talking about a NodeJS for development. Just do a quick search and it is not hard to find stories of nefarious code being released to NPM; the package management system for NodeJS. So even if the plugin writer is not purposely acting nefarious they might be unwittingly inheriting a security risk from an upstream library they are using. Node uses a TON of libraries built on top of more libraries. It is one of the beautiful yet risky nature of it. We learned this when a developer broke the internet. Quote "programmers, ... might not have even heard the name left-pad but their code was breaking because their apps were dependent on some packages". Clearly developers all over the world do not know every dependency and a single change can be inherited by many. If someone writing a plugin where to use those libraries we would have a security issue. NodeJS is a programming language with a pretty wide array of features it can tackle. It can write to your disk. This means developers can in theory use features of the language unless they are somehow mitigated by the plugin process.
So what does the process require to submit a plugin? Submit Your Plugin leads us to Developer Policies . Highlighting a few relevant items below:
Obfuscate code to hide its purpose. Yes, there are techniques to "hide code". Just imagine Morse Code written in all spaces and control characters that never gets displayed on the screen and fathom not only that someone designed this but it gets used. So it's a good thing they don't allow it. The question is, can they even detect it?
Include client-side telemetry I guess this means a developer can't send telemetry data out from the plugin to anywhere else? That's a good thing. Do they know what to look for?
Accessing files outside of Obsidian vaults. Clearly explain why this is needed. Is this disclosure info passed along in the documentation of the plugin to use the users? I do not remember seeing the submitted for review docs anywhere on the github sites.
Server-side telemetry. Link to a privacy policy that explains how the data is handled must be included. I guess I am not sure what server we are talking about here. Is this telemetry from the internet to the plugin?
Close sourced code. This will be handled on a case by case basis. So there is not always a guarantee that obsidian ever gets to actually see the code.
At least they claim they are trying to prevent telemtry. But what exactly is telemetry? According to Wikipedia ... telemetry Does that mean they can't collect our secrets? Or does it just mean they can't take measurements? And they obviously can't access files outside our vaults but what if we have secrets inside out vaults. I hate to be picky like this but that is also how legalities work. At least where I live. So it may not even be expressly forbidden to collect user secrets as long as it is disclosed and in the vault and it is not a measurement? Yeah I know. I'm just making a point that things are open to interpretation and not everything will be clearly excluded so someone will do it. "Oh we grabbed it from the frame buffer on the screen and that is not a file...".
I also came across this Reddit post discussing security risks of plugins Folks, you need to be aware of the very real security risks of themes and plug-ins and one of the responses states that there is a review process and the code must be open source. Which we can see above is not fully accurate given that closed sources will be considered on a case-by-case basis.
Lets discuss Open Source a bit further. I agree open source for this reason is extremely valuable. The oft touted as "go check it out for yourself" or :fix it if you need to yourself" statements. I think it has done more to progress our technologies than probably anything else. But lets be real, those who actually take the time evaluate it are a strong minority of users. However, when you go to a GitHub Repo to get the software do you build the project from the source or do you download the release binary? Can you be sure what is inside that binary matches what is in the repo? What build process was used to create it anhd did it include anything extra? Is that md5sum of the binary telling you anything about what is inside the binary? Maybe if you had some third party building the code and verifying its integrity. But can we trust the third party? The best solution is to actively build the code yourself ourselves while fully understanding every piece of code and part of the build process. but that is highly impractical in the ecosystem of hundreds of dependencies for a small project where developers do not even know all the dependencies. So you're paranoid and you opened it in your text editor and looked through and understood every line and option right? Remember that discussion on obfuscated code? Did you look for that also? Did you look for buffer overflow attacks? There is always some new evasion technique or another attack vector to consider and new vulnerabilities are announced daily. This is the cat and mouse game that is security. It is a tall order to vet even a high confidence of safety. I doubt many even go to the level of effort to build things themselves. I do not have access to the plugin pull system so I can't really know how well they are verifying the repos.
As a developers or Internet user we accept risks every day. Every time we download a package from NPM or PyPy or github to try a new piece of software we are trusting. There are ways to make it safer but do we really create a new VM for every use? Many VSCode extensions are also provided by third parties. Are all those safe? The developers of these Obsidian plugins likely also use these tools to develop their plugins. Code quality tools are good for security until they aren't. We must trust to progress. But we also can't ever really trust the IT industry completely.
Can we trust the developers behind Obsidian. I can't find much detail. On the home site there is an about page. It lists a bunch of developers but I do not see a company mentioned. A coalition of developers? It doesn't really say much. That is also an awfully small list of talent to be reviewing and approving apps but the environment is small. Did you click on the about page? Sandy looks like a troublemaker to me. Looking deeper, the wikipedia Obsidian Software page tells us it is developed by Dynalist, Inc which can be found embedded in the terms. I do not see any mentions of the code being open source and I can't find an obvious repository. Looking at the Google play store for Obsidian and finding the developer we see they have 2 apps published. Obsidian and Dynalist; another note taking app? The Dynalist app tells us the home page is Dynalist.io. The about page is a little vague and has few details. Some of the site links do not even work. What country is this company based out of? Crunchbase lists Dynalist as a Canadian company if that matters to you. So it kind of looks like a small handful of developers working together and hopefully doing good things.
I see headlines month-after-month of Google having apps removed from the play store that slipped by the reviews and contain malware. So even if they are genuine we likely can't rely 100% the safety of the plugins if we use the experience of other companies as a guide.
In the end, its pretty scary world out there. If we never use a phone or a computer or a piece of software or install a plugin we are taking the hard manual road to life. Honestly I take that path quite often. I am probably more cautious than most. I don't use hardly any browser plugins because they can see all my traffic like when I log into my bank. I think about what attackers would want the most. I figure if they really wanted my stuff they would target a plugin to watch my traffic. They would try to get access to the browser saved passwords. They would try to get to the files on my computer. They might even suspect I store secrets in my notes.
The NPM has an audit capability for developers to self police their code. As to if the plugin developers do that is unclear. Obsidian seems to have a review process but the rigor is unclear. They even claim to consider closed sourced code for inclusion. They can't possibly forbid everything and they can't possibly catch everything. But at least it seems they are trying. And intent shows a lot as long as that intent is genuine.
What we want to see is at least an attempt to take reasonable security efforts to ensure plugins are safe. To scan the code. We want to see evidence that bad plugins are removed. I did a quick search and did not find any removals but it was not a fair and thorough search and the ecosystem is fairly small still. It would be nice to see how they are validating the code in the repo is what is being actually built for the plugin and not just grabbing a binary and checksum. I'd love to see the details but companies often avoid this because it "tells them what we are looking for and they can avoid it".
So in my assessment plugins are a scary thing in any ecosystem. I just don't and likely won't have enough details here to really ever be comfortable. You will have to decide for yourself what you trust. I tend to err more on the side of caution. But I trust in my cell phone and desktop OS providers every day not to steal my info. Can they be trusted? Should they be trusted? I would assert no. They are out for profit and not doing this for our best interests. I won't go living my life in this day and age without a computer shunning modern technology. Though there are those that do prefer a similar lifestyle. Though So I am already trusting companies with important communications.
Some of the Obsidian plugins seem quite useful and I really like this product. I will be continuing to use it. The plugins for website publication seem useful to me and I am evaluating them. I wish there was more info and transparency here but I don't really expect to get much more than we already have. Lack of details is a problem with any company or software. I should probably join the community or the discord listed on the projects home page if I really want more info.
So I will continue to use Obsidian and I will continue to be cautious and ask myself if I really need a plugin before I continue. Stay safe.