Safety & Control
Nothing changes in your vault without your knowledge. This page covers the safety systems and how to configure them.
The approval system
By default, Obsilo is fail-closed. It asks before performing any action that modifies your vault. Every write, edit, delete, or external call triggers an approval card in the chat.
What an approval card shows
When Obsilo wants to do something, a card appears with:
- Write a file: the full content that will be written
- Edit a file: a diff showing what changes (lines added and removed)
- Delete a file: which file will be removed
- Move/rename: source and destination paths
You can Allow once (approve this specific action) or Always allow (auto-approve this category from now on).
Permission categories
You can enable auto-approve per category. Go to Settings > Obsilo Agent > Permissions to see the full list:
| Category | What it covers | Risk level |
|---|---|---|
| Read operations | Reading files, listing folders, searching | Low (nothing changes) |
| Note edits | Editing existing Markdown notes | Medium (changes your content) |
| Vault changes | Creating, moving, or deleting files and folders | Medium-High (structural changes) |
| Web operations | Fetching web pages, searching the internet | Low-Medium (external data access) |
| MCP calls | Calling external tools via the Model Context Protocol | Medium (depends on the tool) |
| Subtasks | Spawning background sub-agents | Low (inherits parent permissions) |
| Plugin skills | Running built-in skill workflows | Low (guided multi-step tasks) |
| Plugin API reads | Reading Obsidian plugin data | Low (read-only) |
| Plugin API writes | Modifying Obsidian plugin settings | High (can change app behavior) |
| Recipes | Running multi-step automated workflows | High (many actions in sequence) |
| Sandbox | Executing code in the isolated sandbox | High (runs generated code) |
Permissive mode
If you auto-approve both web operations and note edits (or vault changes), Obsilo shows a security warning. This combination means the agent could fetch content from the internet and write it to your vault without asking.
Reviewing changes
The approval card
Before any write operation, an approval card appears in the chat. For file edits, it shows a color-coded diff with a badge like +3 / -1 indicating lines added and removed. Read the diff before approving.
The diff review modal
After a task completes, you can review all changes at once:
- The undo bar appears below the last message
- Click "Review changes" to open the diff review modal
- For each file, you see every change grouped by section (headings, paragraphs, code blocks)
- Decide per section: Keep, Undo, or Edit (modify the change manually)
This gives you fine-grained control: keep most of a task's work while reverting one specific paragraph.
Checkpoints and undo
Obsilo creates a checkpoint before the first modification to any file in a task. Checkpoints are stored in a shadow repository (using isomorphic-git) that does not interfere with your own git history.
The undo bar
After every task that modified files, an undo bar appears:
- "Undo all changes": restores every file to its pre-task state with one click
- "Review changes": opens the diff review modal for per-file decisions
Undo is always available
Even if you auto-approve everything, the checkpoint system records the state before changes. You can always undo after the fact.
How checkpoints work
- Obsilo snapshots each file before its first modification in a task
- The snapshot is stored as a git commit in the shadow repository
- If you undo, the original content is restored from the snapshot
- Files that were newly created (did not exist before the task) are deleted on undo
Checkpoints are automatic. You do not need to configure anything.
The operation log
Every tool call is recorded in a daily audit log file. This is your paper trail.
What is logged:
- Timestamp
- Tool name and parameters (sensitive values like API keys are redacted)
- Whether it succeeded or failed
- How long it took
Where to find it: JSONL files (one per day) in your plugin directory under logs/. Each file is named by date, e.g. 2026-03-31.jsonl.
Retention: Logs are kept for 30 days, then automatically deleted. You can browse recent logs in Settings > Obsilo Agent > Log.
No file content in logs
The operation log records that a file was read or written, but not the full content. It logs file path and content length, not the actual text.
The ignore file
Create .obsidian-agentignore in your vault root to define paths the agent should never access. Same syntax as .gitignore:
# Private journal -- agent cannot read or modify these
journal/
diary-*.md
# Credentials and sensitive files
secrets/
*.envThere is also .obsidian-agentprotected for files the agent can read but never write:
# Templates -- agent can reference but not modify
templates/Both files are themselves protected. The agent cannot modify or delete them.
Always-blocked paths
Regardless of your configuration, Obsilo never accesses .git/, the Obsidian workspace cache, or internal config files. Blocked by default.
Best practices
Start with approvals on. Leave auto-approve disabled until you are comfortable with how Obsilo works. Watch the approval cards to learn what the agent does.
Enable categories gradually. Auto-approve reads first (low risk), then note edits after you trust the agent's judgment. Keep vault changes and sandbox on manual approval longer.
Avoid the permissive combination. Do not auto-approve web operations and writes at the same time unless you fully trust the content sources.
Use the ignore file. If you have sensitive notes (financial records, medical info, private journals), add them to
.obsidian-agentignorebefore giving the agent broad permissions.Review the operation log periodically. A quick scan of recent logs shows what the agent has been doing and catches anything unexpected.
Back up your vault. Checkpoints provide undo within Obsilo, but a proper vault backup (Obsidian Sync, git, or file-system backup) protects against everything.
Use Ask mode for exploration. When you just want answers without changes, switch to Ask mode. It is read-only, so nothing in your vault can be modified.