I saw this in the new website for plugins Obsidian Community.
Obsidian Excalidraw - Helath: Excellent / Review: Risks
The most downloaded plugin in Obsidian with more than 6 Million and it says “Risks”.
Why? And how? Which types of attacks? XSS, remote execution, data exfiltration, supply chain exploitation… ?
From my user point of view (although, I don’t use Excalidraw 
), the plugin isn’t necessarily more “insecure” than it was 3 days (a week or a month) ago 
…
It’s just an old plugin (and a very big one), created long before Obsidian put in place stricter development rules/policies, which was reviewed once (at submission time, ages ago) before being approved and Excalidraw is simply not compliant with these new rules yet…
(But I’m pretty sure Excalidraw’s dev will work on these, as time goes by and be more secure/compliant with Obsidian’s dev policies)
What you see in the Risks section doesn’t necessarily mean the plugin actually does something malicious (you can actually check these by yourself, in the repo, for most cases as some results points to where, exactly, the risk/issue occurs) but that yes, the method currently used by the plugin might present a risk (which Obsidian now clearly exposes although the “risk” was most likely already there before) …
Now, another thing with the old (and grandfathered) plugins to possibly keep in mind is that sometimes, they’re flagged because Obsidian doesn’t necessarily provide another safe alternative way to do what the plugin has/needs to do …
So some devs had to work around that “limitation” (in the past) using something else while trying to satisfy the needs of their users… And these plugins were also, like Excalidraw, only reviewed once, at submission time (which isn’t the case anymore as each new version will get scanned with the new process).
But again, that doesn’t mean the plugin does something nefarious … “just” that it might (
) and that the dev should work on their plugin to mitigate these risks and make the plugin safer .
Click Risks and it brings you to the Scorecard to see all the disclosures and risks. Or scroll down a bit and click Scorecard tab.
Yeah @zsviczian is doing an excellent job. Less than a week, and he already update and patched those “vulnerabilities”. Now it says 79% “Satisfactory”. So thanks @zsviczian.
