Strengthening Obsidian's Plugin Ecosystem: A Community Call to Action

Community & Development

An Obsidian community member raises concerns about the slow plugin review, unreviewed updates, security risks, and theme policy violations, proposing community involvement for a sustainable ecosystem.

Hello Obsidian team,

My name is Emile, known to many as saberzero1. I am a core maintainer of Quartz and developer of various tools and integrations that enhance the use of Obsidian with Quartz. Over the past few months, I've observed a growing trend that I wish to address in this letter. This isn't meant to criticize the Obsidian developers or the incredible community, but rather to ensure Obsidian's continued growth and prosperity.

For four years, I've had the pleasure of being part of the Obsidian community. I've witnessed its expansion and the sharing of countless amazing projects. Despite presenting itself as a note-taking app with an offline, "you-own-your-notes" philosophy, it has cultivated a massive community of passionate writers, bloggers, tabletop RPG players, developers, content creators, artists, and many others. Who would have thought a note-taking app could foster such a vibrant community?

This success has been achieved despite a very small team working on the core Obsidian product. Recently, I've noticed an increase in questions and concerns on the official Obsidian Discord server regarding the plugin review process. It appears to be taking progressively longer for plugins to get approved, which, given the small team, is understandable but unsustainable.

A Sustainable Plugin Ecosystem

Currently, the plugin review process operates as follows:

  1. You create a plugin, adhering to the developer policies and plugin submission requirements.
  2. You submit a pull request to the Obsidian releases repository, adding your plugin to the list of community plugins.
  3. A bot scans your code for issues, likely flagging several.
  4. You address the issues or explain why certain remarks cannot be fixed.
  5. The bot confirms readiness, marking your plugin for review.
  6. You wait.
  7. An Obsidian developer reviews your code, likely leaving further remarks.
  8. You fix those remarks.
  9. An Obsidian developer confirms changes and merges the pull request.
  10. Congratulations! Your plugin is now available in the Community Plugins tab within Obsidian settings. Hurrah!

This process seems good, if a bit involved, right? However, the current time from proposal to inclusion can easily span a month, sometimes multiple months. This isn't likely to improve soon; as the community grows, more plugins will require manual review. The Obsidian community continues to expand, and thanks to AI, plugin development is more accessible than ever.

Beyond the initial review, there's a more pressing concern: Plugin updates are not reviewed at all.

Nothing prevents any developer (or a malicious actor gaining access to a developer's account) of the nearly 2,500 plugins from pushing an update that includes malicious code, such as:

  • Copying your notes to a malicious actor.
  • Reading configuration files from other plugins, which could contain API keys (e.g., GitHub, OpenAI) or passwords for integrated services (e.g., read-later apps).
  • Downloading additional malicious code or files.
  • Deleting your notes.

These are just a few examples. We cannot, and should not, expect the Obsidian team to manually review every single change to every single plugin.

A Reason for Concern

You might wonder if there's truly much reason for concern. After all, community plugins are opt-in, carry a warning label, and most are open source. What's the big deal?

I believe the workload for Obsidian developers regarding community plugins (and themes) is already excessively high. For a project related to Quartz, I recently downloaded every community theme available in Obsidian. To my frustration, approximately a quarter of them had severe syntax errors, making them difficult to work with. Having recently navigated the bot's requirements for a plugin submission, I wondered if similar checks were performed on community themes.

I inquired on the community Discord server. An Obsidian developer stated that themes are generally allowed if they don't break Obsidian and follow the developer policies. I found this puzzling, as I had observed several themes fetching network assets, which the developer policies explicitly forbid. Even one or two recently approved themes were loading assets over the network. When I pointed this out, the developer said they would investigate.

About a week later, I noticed that one theme had been removed from the list of community themes. Prompted by this, I wrote a script to check for network assets across the over 350 themes I had downloaded and followed the requirements for reporting policy violations. These policies state that, unless the violation is severe, the author should receive a week's notice to fix issues. I then visited the GitHub repositories of the offending themes, emailed my findings, and opened issues to the Obsidian support team.

To my surprise, about half of these themes already had issues raised by the Obsidian team, some well over a year prior, instructing the authors to remove network assets within seven days or face removal from the theme list. Despite this, at the time of writing, all reported themes are still available in the Obsidian theme browser.

I hope this example illustrates my concern: if the Obsidian team cannot address policy violations on community themes within a year, how can the community expect them to manage all the plugins? There are nearly ten times more plugins than themes, and plugins carry a significantly greater risk of malicious behavior than a theme fetching a font from Google or a background picture from Unsplash.

Plugins Are Obsidian

One might argue that community plugins are an optional part of Obsidian. I believe they are not optional at all. Many users choose Obsidian over alternatives for its offline, privacy-focused approach, and ownership of local Markdown files, but they stay for the amazing selection of plugins, themes, and the community built around it. While there's a clear warning when enabling community plugins, much of what elevates Obsidian from great to amazing are the plugins. Obsidian could never have achieved this success without the incredible community creating them:

  • What would the TTRPG scene in Obsidian be like without all the amazing plugins for dice rolls, character sheets, fantasy maps, stat blocks, etc.?
  • What would task management be without plugins adding calendars, tasks, reminders, etc.?
  • What would the note-taking experience be without plugins integrating read-later apps, Excalidraw, PDFs, ebooks, etc.?
  • What would the blogging experience be without plugins to streamline the note-to-website process, like Digital Garden or Enveloppe?
  • What would the user experience be without plugins enhancing themes and providing further customization (e.g., Style Settings), or adding features we expect from a modern note-taking app (e.g., Kanban, Database Folder, Timelines, Settings Search)?

Even some core Obsidian features once originated as community plugins!

I could continue, but my point is clear: to maintain this amazing plugin ecosystem, we must address these slowly emerging issues.

Looking Forward

So, what is my proposal? After praising the Obsidian community so much, it only makes sense to turn to that same community for solutions. Therefore, I close this post with a plea and an invitation directly to the Obsidian team:

Dear Obsidian team,

Please let the community help. We are a community brimming with wonderful, often technical, individuals. If the Obsidian team were to create a list of the challenges they face in checking and maintaining community themes and plugins, I am confident the community could devise solutions. Many aspects can be further automated, both during initial reviews and when issues arise post-release. We all want to keep using Obsidian and creating amazing things, but it would only take a handful of malicious plugins to completely undermine the community built around this ecosystem. Tools like VS Code, Sublime Text, and Neovim demonstrate that a community-driven approach can be highly effective.

We understand your team is small. You simply do not have the capacity to handle the plugin workload alone. I believe it's time to start delegating more responsibilities to the community. Let us help you make Obsidian the best it can be.

Please.

Sincerely, saberzero1