Obsidian launches a Community site and developer dashboard with automated plugin/theme reviews, clearing 2,300 queued submissions and enabling near-instant approvals.
Key Takeaways
Automated review system scans every version for security, code quality, and malware using an open-source eslint plugin plus dependency scanning, not just initial submissions.
4,000+ plugins and themes, 120M+ total downloads; the manual review queue was unsustainable as AI-assisted plugin creation accelerated submissions.
Scorecards per project surface pass/fail status publicly; upcoming additions include capability disclosures (network, filesystem, clipboard) and verified author badges.
Teams get controls to allowlist community plugins and distribute private plugins; closed-source plugins are no longer accepted for new submissions.
GitHub remains required for submission; submission-to-availability is now typically minutes to under 24 hours.
Hacker News Comment Review
Automated scanning is seen as a scaling fix, not a security guarantee; multiple commenters argued proper sandboxing with an explicit permission/capability API is the only reliable mitigation for malicious plugins.
The review backlog was a known pain point causing developer frustration and team burnout; the launch directly unblocks a major submission bottleneck that AI coding tools were rapidly worsening.
Scorecard UX is unclear for end users: commenters questioned what a non-developer is supposed to do with linter warnings and error flags on a plugin detail page.
Notable Comments
@kepano: Confirms manual reviews continue; automated system is built on the open-source eslint-plugin-obsidian plus dependency and malware scanning, no AI in the review pipeline.
@simonw: Raises liability concern: users depending on a review process creates reputational risk if an obfuscated exploit slips through a trusted review.
