74
/ 100
5 days ago
glama

obsidian-vault-mcp

An MCP server that enables Claude Desktop to read and write an Obsidian vault hosted on a VPS, using SSH or HTTP transport with OAuth authentication.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
🔐
You'll be asked for 1 credential: MCP_JWT_SECRET
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies1 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

lowesbuild@0.24.0GHSA-67mh-4wv8-2f99

esbuild enables any website to send any requests to the development server and read the response

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configMCP_AUTH_PASSPHRASEone of Single-user shortcut: the login passphrase for the one vault given as the CLI arg. Use this or MCP_USERS_FILE.
configMCP_CLIENTS_FILEno Where DCR client registrations persist (default: next to index.js).
🔐 secretMCP_JWT_SECRETyes 32+ random bytes used to sign access/refresh tokens. Rotating it revokes all tokens.
configMCP_NO_AUTHno Set to 1 to disable auth — local testing only, never public.
configMCP_PUBLIC_URLyes Public origin, e.g. https://91-99-211-116.sslip.io. Used as the OAuth issuer/audience.
configMCP_USERS_FILEone of Per-user {id, passphrase, vault} map (see below) — for multiple people/vaults.
configSMOKE_PORT_A
configSMOKE_PORT_B
configSMOKE_PORT_D
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/bepitulaz-obsidian-mcp-135wkt)](https://m8ven.ai/mcp/bepitulaz-obsidian-mcp-135wkt)
commit: ef96eebd1c12d9e89a584d1a8342a5f67de638ec
code hash: e5431d3fd959a809b016d52b5080c11e50ed2d145991da600dd74e9493ad098e
verified: 7/6/2026, 10:33:50 AM
view raw JSON →