Obsidian.md is an awesome note taking system. However, any third party plugin you install has access to all the files on your computer. You must hope the developer is nice or that their GitHub credentials don’t get compromised by a bad actor who then pushes out a malicious update.
The barrier to entry to get a plugin added to the Obsidian marketplace is low, and performed only once. There is not follow-up security review.
Common retorts to these statements, and my replies:
- It’s the same thing as X app (VS Code, e.g.)
My reply: Yes, and that is also bad. - Plugins with many users are safer because they have more eyes reviewing the code
My reply: Yes, and they are the more attractive targets. A contributor need only enough time to push a bad update no one notices to infect thousands of computers. So like, 20 minutes? - I don’t put anything valuable or private in my notes anyway
My reply: How about the rest of your computer? Because that’s what they have access to.
In summary, if you use Obsidian, don’t use plugins until or unless they improve this situation.