Security Reporting Report security vulnerabilities via GitHub Issues or email. Scope Hook scripts run locally with user permissions No credentials are transmitted — all env vars stay local Obsidian vault access is local filesystem only