permalink: plugin-securityThe Obsidian team takes security seriously. This page explains the risks involved when installing community plugins, and what the Obsidian team does to address them.
By default, Obsidian runs in Restricted Mode to prevent third-party code execution. Only disable Restricted mode if you trust the authors of the plugins that you install.
To turn off Restricted mode:
To turn on Restricted mode:
Installed plugins remain in your vault even if you turn on Restricted mode, but are ignored by Obsidian.
Due to technical limitations, Obsidian cannot reliably restrict plugins to specific permissions or access levels. This means that plugins will inherit Obsidian's access levels. As a result, consider the following examples of what community plugins can do:
If you're working with sensitive data and wish to install a community plugin, we recommend that you perform an independent security audit on the plugin before using it.
Community plugins undergo an initial review when they're submitted to the plugin store. All plugins must adhere to Obsidian Developer Policies.
The Obsidian team is small and unable to manually review every new release of community plugins. Instead, we rely on the help of the community to identify and report issues with plugins.
security.md or readme.md for how to report those. For Critical category flaws, please report the issue to Obsidian support as well.