IdeaWell

Project ideas from Hacker News discussions.

The Future of Obsidian Plugins

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

3 Core Themes from theDiscussion

Theme Supporting quotations
Sandboxing & explicit permissions are essential "the best (only?) way to solve the plugin security problem would be to properly sandbox them with an explicit API and permission system."varun_ch
"A permissions system is planned … however, a permissions system alone is not enough."kepano
"I'm not sure that 'Plugins will declare what they access' should be interpreted as a planned sandbox system. My (cynic) interpretation that it's an opt‑in honor system …"hobofan
Automated scans & disclosures act as a filter but aren’t a full solution "Every update is scanned, and we will be regularly re‑scanning all the latest versions of every plugin as we improve the system."kepano
"All are necessary because permissions alone can't solve certain malicious behaviors … Look at some scorecards on the Community site you'll quickly see why some of the warnings are not things a permissions system or sandboxing could catch."kepano
User trust & granular plugin rating are major concerns "One thing that I think would be a huge boon … more context … clicking a link takes you to the code that calls out to github.com."zie
"Finally!"AntiUSAbah
"I realize you're just doing your job as CEO to shape perceptions here, but this is your best effort? The docs should have correctly stated 'we don't review ANY new community plugin release'."kid64

Summary – The community repeatedly stresses that a robust sandbox/permission model, combined with thorough automated scanning and clearer disclosure, is needed to restore trust. Meanwhile, users demand more granular rating and filtering so they can control the security level of the plugins they install. These three concerns drive most of the conversation.

🚀 Project Ideas

Obsidian Sandboxed PluginRuntime

Summary

  • Provides a secure, sandboxed execution environment for community plugins, isolating them from the host filesystem and network.
  • Core value: Users can safely experiment with third‑party plugins without risking data loss or exfiltration.

Details

Key Value
Target Audience Obsidian power users, developers, and enterprises seeking safe plugin experimentation
Core Feature Isolated V8 context with whitelisted APIs; automatic AI‑driven security scans on each update
Tech Stack Node.js/Electron fork, WebAssembly sandbox, Docker/containers for isolation, React UI, Python for scanning pipeline
Difficulty High
Monetization Revenue-ready: $7/month per user (hosted SaaS)

Notes

  • Directly addresses HN concerns about “malicious updates” and “permissions alone aren’t enough” – a sandbox plus AI review gives the safety HNers crave.
  • Potential for integration with existing plugin ecosystems (e.g., Obsidian, VS Code) and could become a building block for other desktop app plugin stores.

Plugin Health Monitor & Auto‑Review Bot

Summary

  • A free, open‑source CLI/GUI tool that watches plugin repositories, triggers automated lint‑and‑malware scans, and generates community‑visible health scores.
  • Solves the frustration of “no review pipeline” by giving maintainers instant feedback and users transparent risk ratings.

Details

Key Value
Target Audience Plugin maintainers, community moderators, and security‑conscious users
Core Feature Continuous scraping of plugin releases, running eslint‑plugin, Trivy CVE checks, and AI‑enhanced code analysis; publishes scores to a public dashboard
Tech Stack Node.js, Python (for AI summarizer), PostgreSQL, Grafana, Docker, GitHub Actions
Difficulty Medium
Monetization Hobby

Notes

  • Quotes from HN: “I’d love a tool that could flag suspicious code before I even install it” (dtkav). It also satisfies the demand for “disclosures” to be more than just a checkbox.
  • Could be packaged as a GitHub Action so developers get CI feedback on every PR, reducing manual review overhead.

Permission‑Based Plugin Installer for Teams

Summary- A lightweight desktop client that lets organizations manage plugin installations with fine‑grained permission approvals, version pinning, and audit logs.

  • Directly responds to HN calls for “explicit API and permission system” and “sandboxing” to protect corporate vaults.

Details

Key Value
Target Audience Enterprise users, team admins, and security officers deploying Obsidian at scale
Core Feature Permission request UI (file‑system paths, network URLs); automated approval workflow; enforce least‑privilege defaults
Tech Stack Electron, TypeScript, Electron‑Forge, SQLite, OAuth2 for corporate SSO
Difficulty Medium
Monetization Hobby

Notes

  • HN users repeatedly emphasized “you can’t trust a plugin that can read my private notes” – this tool makes permission consent explicit and reversible.
  • Could be extended to auto‑block updates that exceed defined permission boundaries, drastically reducing the attack surface for supply‑chain exploits.

Read Later