lol we told you plugins were insecure years ago. I distinctly remember getting flamed in your discord because I said that they had full disk access. Too little too late.

The insecurity is part of the benefit. Obsidian being so open, allowing easy customizing is what makes it great. They should add some more bells, whistles and guards to prevent sneaky social attacks, but they can't close Obsidian all together, or it would kill the app.

There's open, and then there's "full disk access, even outside the vault" open.

What do you propose? Even if they configure node's lowest level file APIs to block any access to paths outside the vault, plugins can still execute arbitrary shell commands who will have access to the entire OS.

And before you say it's useless and should be stopped too, well, that's a fine opinion! But then you lose plugins providing git integration, automated backups, document conversion using pandoc, etc. Many users might value that greatly.

A permission system for their plugins might be the only solution, annoying permission request popups and all.

That's a good point. I think I'd solve this in two steps.

0) scripts and plugins should only be able to operate on the text in the vault. Just like how I expect a snippet of JavaScript running in my browser to only have access to the website and not to my entire disk.

1) Any commands that run outside of this sandbox need to be approved first. Obviously this could get annoying, but there's tricks you could use here to help.

Obviously this is a high level approach and I'm not on their team, so this is basically armchair programming. But since you asked, it's okay. ;)

You better delete all third-party applications for they are having full disk access.

Hello, 2010s called.

In 2026, applications, third or even first party, don't need to have full-disk access, and are not given either. They see a jailroot environment. I give full disk access to the terminal app, and a handful of others. 90% of them, nope.

At least that's the case in macOS, I'm pretty sure Windows can do that too. Linux of course has had such capability since forever, but I guess most distros you need to manually take care of it.

Sadly, Windows cannot do that. Every installed program has full disk access by default. It's very, very difficult to make it not so.

Windows has had that feature for 9 years. https://learn.microsoft.com/en-us/defender-endpoint/controll...

This is implemented the wrong way around. Each program should only have access to its own folders by default, with it being possible to grant additional access. Also, I don't believe Endpoint stuff is included in the normal Windows license.

Microsoft has refused to allow any kind of persistence of these sandboxes making them absolutely worthless. Such a waste of an otherwise good feature.

Windows Sandbox is not for persistent apps

AppContainer (e.g. used in uwp or msix)

Can you configure that as a user for an unsafe program you want to run such as an online game? I think not.

Maybe it isn't built-in, but most Windows user I've worked with, including myself, have been using Sandboxie for probably two decades at this point, probably hard to find any Windows software that is more ubiquitous than Sandboxie in developer circles.

Sandboxie is essentially a giant pile of fragile hacks on top of a Windows API that does not want to be used this way. Does it seem like it works most of the time? Sure. Has it had bypasses? Also yes. I've used it in the past but I don't truly trust it.

Yes you can sandbox Obsidian on the OS. The point they're making is nearly every third party program ships Without sandboxing. There's nothing special about Obsidian here.

Interesting. Do I get this sandboxing out of the box when I install apps with Homebrew? Or do I need to do something specific?

Would love to enable this for all apps, and add exceptions for the ones that need more access.

I installed Lulu and BlockBlock recently, and want to do more to harden my Mac.

This hardening is enabled by default with Gatekeeper. That includes Homebrew apps, unless you disable it.

When an app tries to access something outside of its sandbox, you get a notification asking to approve or deny. Full Disk Access I think needs to be explicitly given on System Settings (Privacy & Security -> Full Disk Access).

That's probably all the hardening the average person needs. BlockBlock because most malware tries to get persistence. Little Snitch or LuLu for fine-grained whitelisting of network requests for any apps that have plugins (e.g. you give Documents permissions to Obsidian, plugins inherit that, but they can't exfiltrate if you only allow requests to trusted domains).

I've never tried to do this or similar in Windows (obviously easy in unix-like environments) but I'm going to bet it's far more trouble than it's worth for 99% of users

On macOS at least those 99% of users are probably installing from the App Store, where apps are sandboxed by default and need to explicitly ask for access to paths outside that sandbox. Even when not installed from the App Store a permission dialogue is popped if an application tries to read from sensitive paths like your photo library.

Does that help in this case though? I think the worry is that a rogue Obsidian plugin does bad stuff with your Obsidian vault, not just do stuff to the rest of the computer. But that vault/those notes live in the same sandbox as the (rogue) 3rd party plugin, which doesn't help with that, they really need to be isolated away from the notes themselves.

Anything that reduces the blast radius helps. There should still be a focus on further hardening. Most value comes from exploits that enable pivots. Attackers will focus on other vectors that enable broader pivots because immediate high value notes only exist for a limited set of users.

In this case, no, not really because the plugin is running within the same sandbox. I was addressing the more general point in the grandparent post.

For real security, operation should only be allowed after 24h of cooldown.

User should be required to explain the situation to an older and a younger family member, and get permission from both of them.

In the scenario where you take care of it yourself the rogue plugin would not be an issue either.

I have no idea how to do that in Windows though.

These types of problems usually only get fixed when it’s too late.

"Sorry we got caught" reactiveness.

Lol it's a social engineering attack. What are you talking about. Don't run programs you don't trust, especially when being asked to do so by strangers on the line.

That’s not spyware, that’s just how native messaging is designed to work. You have to put a manifest there if you want the native messaging to work later.

With this argument you could also justify: "That's not a remote access trojan (RAT), that's just how client-server communication is designed to work."

> You have to put a manifest there if you want the native messaging to work later.

The point is that Claude Desktop didn't ask the user whether they want native messaging in the first place. Which is strange, given that users experience many "Do you grant permission to do XYZ" prompts when working with Anthropic products in other situations.

What you're describing was a norm back in like the 90's, but disappeared in the ought's/10's when companies decided the user actually being kept abreast of what their machine was being asked to do clashed with the ethos that "the luser is clueless, and we are not; just ship the functionality, and we'll beg for forgiveness later". I fought the attitude my entire tenure as a QA engineer, but business always seemed to get their override from the execs above.

At the point we're at, I'm so ethically locked out of unregulated contexts where one can't necessarily get away with that sort of thing, I'm beginning to give up hope the Industry can be turned around at all short of everyone with a modicum of ethics making the experience of computing so damned defensively locked down, it ceases to be a legacy worth passing down as anything but a cautionary tale on the hubris of man, and the ease with which men can be lured to corrupt ends via their stomachs.

No, it’s more like “installing software installs files on the system”.

That’s not new by any means. It’s no different than zoom installing a native audio plugin for the os, or other software creating files on the system.

Yeah, this. 1password does the same thing for any browser it detects when installed for the native desktop integration from the chrome extension.

Not 100% across the spec but this wouldn't functionally do anything until you install the related extension? e.g., it's pinned to nominated `allowed_origins`

Yea I guess the issue here is whether you think installing the extenstion should set up the integration or installing the thing being integrated should set up it. Im inclined to think its the extensions responsibility, but I dont think its a severe data issue.

Aha! Same for me. A telling sign to me is it will take him 2-3 turns of “that’s not right” before he’ll say “let me do this properly…” and do what I original requested.

oh yeah - I get that too. Also, if I tell him to verify something - he'll do a big song and dance about verifying it as correct. Then you point out something very basic and he'll trigger that 'let me do this properly', verify it again, find out he was wrong - then say he was working from stale data/assumptions

Instead of fighting with an AI you could just... do it yourself

I've been doing it myself for 40 years...I wanna play with the new shiny abit :-D Whats the point of being a geek if you don't play with the new shinies ?

Maybe I should just hang it up and go to bed:

  That's a Claude Code issue — queued slash commands not executing between steps.

 you didn't answer me - is that last rule we added to MEMORY.md active and working ?

● Your point: you're asking whether rule 4 ("restate before responding") is actually being followed, because I just failed to do it two messages ago.

  No, it's not working reliably. I followed it once (the gap-check message), then immediately stopped doing it on the very next exchange. The rule exists in memory but I'm not consistently applying it.

It’s not celebrity worship, it’s trying to show the absurdity of celebrity worship.

It's in the frame and it's mid. There is enough ambiguity of interpretation (as is the nature of gonzo writing) and one instance of saying willow smith talks like a homeless person to trick people into missing the frame the article adopts, the mean spirited takedown and the worship are the same. This is literally textbook tabloid framing, the tabloid elevates, the tabloid destroys, the tabloid tells you have nothing better to do while you wait in a long line. This article is celebrity worship tabloid brain rot.

Better than rest is a low bar though. Ultimately agents should rarely be calling raw rest and graphql apis, which are meant for programmatic use.

Agents should be calling one level of abstraction higher.

Eg calling a function to “find me relevant events in this city according to this users preferences” instead of “list all events in this city”.

Kamal + cloudflare tunnel is a neat setup.

AI is having the same effect on art as the iPhone did on photography.

There’s a lot more photos now, most of them mediocre, but some exceptional.

It does become harder to filter great photography from noise.

Except, they have one person in the ear. Not 4-5, not people giving opposite opinions, not drive by takes.

By the time a race engineer is communicating with a driver all of that has been shaken out. Specific concrete options are given to the driver, and usually only one.

This is very French!