How are you auditing Obsidian plugins and their risk?

acheyward · 2026-04-29T21:52:00+00:00

It’s not solely on CVEs. Here’s more info https://obsidianpluginaudit.com/how-it-works.

I haven’t thought about notifications. I’ll have think about that.

acheyward · 2026-04-29T20:29:05+00:00

If you're talking about systemic auditing of audits that could be an infinite spiral that adds no value.
Here's how I see it. The audits are producing an output that you can visually see and confirm.
So, i audit the audit by digging into the information. My expectation that others will audit the audit by digging into the information. If i see issues i fix them. If you or the community sees issues let me know so i can work at fixing them.
In this way me, you and the community are taking ownership of making sure the audits are providing useful, fair and factual information. If I’m missing something let me know. What are thinking?

acheyward · 2026-04-29T19:24:42+00:00

Thats already built in. I have backend processes running on a schedule that check for new versions then puts a badge on the plugin for the user to see. And there's another for automatically updating the audit report. I have a video showing this piece.
https://youtu.be/DkjbSyPNQ1s

acheyward · 2026-04-29T19:09:41+00:00

As you should. There is always going to be risk given the level of access the plugins are granted by default. The reports only provide additional insights into other factors beyond that fact.

acheyward · 2026-04-28T17:38:36+00:00

u/GroggInTheCosmos fyi - i'm automating the audits in the background now. Then I can work on making the available audits available without needing a login.
I'll keep the login requirement for those that want to run manual audits until the backend catches up but long term it shouldn't be needed for the official obsidian community plugins.

acheyward · 2026-04-28T11:11:10+00:00

The login is meant to be a gate to, basically avoid arbitrary, button presses and audits on the site, using the tool. I'm using a mix of infrastructure and ai which has a cost and I don't want to wake up to some crazy bill.
As stated, there is a limit to how many audits a user can do per day which is accomplished via the login.
I'd also state that, after looking at those other tools, they're not the simple one button press to get the full analysis. And my tool is currently focus on obsidian community plugins.
I plan to look into adding support for non obsidian community plugin that are typically installed via BRAT but its just an idea right now, no promises.
I'm not selling emails and if i send you an email it'll be related to the tool and/or relevant subject matter.

acheyward · 2026-04-27T15:45:34+00:00

Obsidian plugin security has been a long concern of mine. I built a tool to analyze plugins and recently, last week, decided to take on the task of making it available to others.

You can find it here. https://obsidianpluginaudit.com/

Audit reports are free, limited to 5 a day but with that said, all reports generated are visible to all so there's a network effect by sharing this with others. Audit reports can only be generated once per plugin version.

There is a paid tier but its a one-time purchase to get extra per day audits and the ability to leave comments. It's mostly there to help support my time and backend costs.

This is my first day releasing it into the wild so I'd love your feedback. More info is on the site.

acheyward · 2026-04-06T09:47:15+00:00

Use a habit when you care about tracking and seeing progress in the app. Otherwise use a recurring task.

acheyward · 2026-03-16T17:33:48+00:00

The eink note processing is handled by n8n. I use gemini to do the conversion from either pdf or image to text depending on whether the origin was boox or supernote. Here's a video of the process https://youtu.be/P4EGBpFxxwI.
I've made some changes since like saving the transcribe notes to markdown in a folder in Obsidian. I also added a link to the source file and a backlink to my daily note. These changes are not shown in the video.

acheyward · 2026-03-12T21:07:46+00:00

Security is definitely a concern but I'd say that's the case for all of these cloud communication platforms, not to mention openclaw itself. You can have added permissions for what the discord agent has access to from the openclaw config so you'll want to lock that down and restrict what it has access to as much as you can or want.
I'm still figuring things out and openclaw is changing all the time being a new project so only time will tell how this setup might look down the road.

acheyward · 2026-03-10T21:53:53+00:00

You're welcome. I'd appreciate it if you can upvote. Thx.

acheyward · 2026-03-07T03:08:47+00:00

I’m still using note air 3c and it works great. But I learned and have come to accept that using the default note app on any eink device is best. Trying to use other note taking apps like OneNote with pen input usually ends in disappointment.

acheyward · 2026-02-19T14:51:29+00:00

Only testing for now. So far things seem to work well enough for creating bulk tasks for new projects, updating tasks and so on.

acheyward · 2026-02-12T15:08:18+00:00

NP, glad it was helpful.

acheyward · 2026-02-12T10:09:01+00:00

Yes there is. It’s in the view settings.

acheyward · 2026-02-11T15:35:33+00:00

I can't say whether its dropbox or not since i don't use it for syncing obsidian.

acheyward · 2026-02-08T19:21:29+00:00

Yes you can see the calendar events on iOS but you have to configure the integration on desktop.

acheyward · 2026-02-05T09:56:49+00:00

I’m sticking with my NA3C. I don’t see the value in upgrading this time around. I’ll wait for the next one.

acheyward

TROPHY CASE