obsidian-mcp-server

Critical security risks identified: 1. `httpx.AsyncClient(verify=False)` disables SSL certificate verification when connecting to the Obsidian REST API, making local connections vulnerable to Man-in-the-Middle attacks if not carefully controlled. 2. A publicly accessible API key (`798f67623306a6e2092542b9bdcf9775b44f5d4ae3193b1a2820b369e194047e`) for the remote production server is hardcoded in `test_remote_connection.py` and `EXTERNAL_CONNECTION_INFO.md`, a severe breach of security best practices as it exposes production credentials. 3. The simplified OAuth implementation for Claude.ai connectors uses the `MCP_API_KEY` as the `OAuth Client Secret` and returns it as an `access_token`, which significantly weakens OAuth security by using the main API key directly as an OAuth token. 4. The `execute_command` tool allows execution of arbitrary Obsidian commands, potentially leading to risks depending on the underlying Obsidian REST API plugin's safeguards. 5. The server can be configured to listen on `0.0.0.0` and authentication can be optionally disabled (`MCP_REQUIRE_AUTH=false`), posing risks if misconfigured without a robust reverse proxy and firewall protections.