← Back to Obsidian MCP

Security

Designed with minimal access in mind. Here's exactly what we access and why.

Access Model

Obsidian MCP follows the principle of least privilege. It only accesses what's strictly necessary to function.

βœ“

What We Access

  • πŸ“„
    obsidian.json
    To discover vault locations on your machine
  • πŸ“
    Vault .md files
    To read, write, and search your notes
  • πŸ”—
    obsidian:// URIs
    To open notes in the Obsidian app
βœ—

What We Don't Access

  • 🌐
    Network / Internet
    Zero outbound connections
  • πŸ“
    Files outside vaults
    No access to other directories
  • πŸ”‘
    Credentials / Tokens
    No passwords, API keys, keychains
  • πŸͺ
    Browser data
    No cookies, history, saved passwords
  • πŸ“Š
    Telemetry
    No analytics, tracking, or phone-home

Design Principles

🏠

Local Only

Everything runs on your machine. Your notes never leave your filesystem.

πŸ”

Transparent

100% open source. Every line of code is auditable on GitHub.

πŸ“¦

Minimal Dependencies

Only essential libraries. No network packages included.

Dependencies

We use a minimal set of dependencies, none of which make network calls:

Package Purpose Network Access
mcp MCP protocol implementation No
pathlib File path handling (stdlib) No
json Config parsing (stdlib) No
subprocess Opening obsidian:// URIs (stdlib) No
re YAML frontmatter parsing (stdlib) No

Notable absences: No requests, httpx, urllib.request, aiohttp, or any HTTP client libraries.

Verify Yourself

Don't take our word for it. Here's how to audit the code:

1. Check for network libraries

# Search for HTTP client imports (should return nothing) grep -r "import requests\|import httpx\|import urllib.request\|import aiohttp" src/

2. Review the main server code

# The entire MCP implementation is in one file cat src/obsidian_mcp/server.py

3. Check what files we access

# Look for Path() and open() calls to see file access patterns grep -n "Path\|open(" src/obsidian_mcp/server.py

The full source is available at: github.com/ldraney/obsidian-mcp

Frequently Asked Questions

Can Claude access files outside my vault?

No. The MCP only reads files within paths listed in Obsidian's obsidian.json. It cannot access your Documents, Downloads, or any other folders.

Does this send my notes anywhere?

No. All processing happens locally between Claude Desktop and your filesystem. The MCP server has no network capabilities.

What about the subprocess usage?

The subprocess module is used only to open obsidian:// URIs via your system's default handlerβ€”the same as clicking an Obsidian link in a browser.

Is my vault data sent to Anthropic?

When you use Claude Desktop, the content of notes Claude reads is sent to Anthropic's API (that's how Claude works). However, this MCP itself makes no network callsβ€”it only facilitates local file access that Claude Desktop then uses.

How do I report a security issue?

Please do NOT open a public issue for security vulnerabilities. Email the maintainer directly (see GitHub profile) and allow time for a fix before public disclosure.

Ready to try it?

Install Obsidian MCP and give Claude access to your notes.

← Back to Home