obsidian-remote-mcp

Self-hosted MCP server that provides remote AI clients with read and write access to Obsidian vaults over HTTPS without needing the Obsidian desktop app running.

→ nweii/obsidian-remote-mcp · listed on glama

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

⚠️

Known vulnerabilities in dependencies: 3 high

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

🔐

You'll be asked for 3 credentials: HEALTH_TOKEN, MCP_CLIENT_SECRET, MCP_STATIC_BEARER_TOKEN

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configCORS_ALLOWED_ORIGINS— CORS allowlisting () for browser-based clients

configDAILY_NOTE_PATH_TEMPLATE— Daily/{YYYY}-{MM}-{DD}.md

🔐 secretHEALTH_TOKEN— optional; enables GET /health (see Health endpoint)

configLOG_DIR

configLOG_ENABLED

configMCP_ALLOWED_REDIRECT_URIS— Cursor's OAuth redirect URI (cursor://anysphere.cursor-mcp/oauth/callback) is in the default allowlist. If you set yourself, include it so Cursor can still complete OAuth.

configMCP_BASE_URL— must match the public site origin (no /mcp).

configMCP_CLIENT_ID— export =my-vault-mcp

🔐 secretMCP_CLIENT_SECRET— OAuth 2.1 + PKCE with optional on token exchange

🔐 secretMCP_STATIC_BEARER_TOKEN— API key () for clients that take a fixed credential instead of browser auth

configMONTHLY_NOTE_PATH_TEMPLATE— Monthly/{YYYY}-{MM}.md # optional; opt-in cadence

configOBSIDIAN_VAULT_ID— personal # optional when obsidian.json contains multiple vaults

configPORT

configQUARTERLY_NOTE_PATH_TEMPLATE— Quarterly/{YYYY}-Q{Q}.md # optional; opt-in cadence

configRESOLVE_INDEX_TTL_MS

configTOKEN_STORE_PATH— : /app/data/tokens.json # uncomment to persist OAuth sign-ins across restarts

configVAULT_ATTACHMENT_MAX_BYTES— 10485760 # optional; vault_read_attachment size cap, defaults to 10 MB

configVAULT_CONTEXT_PATH— vault_context Read the vault guidance note configured by , or fall back to AGENTS.md / CLAUDE.md

configVAULT_DISPLAY_NAME— Personal # optional; defaults to the vault directory name

configVAULT_MCP_TEST

configVAULT_PATH— export =/absolute/path/to/your/vault

configVAULT_READ_ONLY— Block paths with .mcpignore; set to turn off writes.

configWEB_CLIPPER_SETTINGS_PATH

configWEEKLY_NOTE_PATH_TEMPLATE— Weekly/{GGGG}-W{WW}.md # optional; opt-in cadence

configYEARLY_NOTE_PATH_TEMPLATE— Yearly/{YYYY}.md # optional; opt-in cadence

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 3 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/nweii-obsidian-remote-mcp-1ul42a)](https://m8ven.ai/mcp/nweii-obsidian-remote-mcp-1ul42a)

commit: 54900c10faa98017ae4206028ffc152a0d1308d9

code hash: 408545d461f2fc3e34f2cbb00363b6980cd1ea432b52fb07bcef9a88905a5226

verified: 6/13/2026, 10:05:58 AM

view raw JSON →