Independent research consultant in a Berlin Altbau apartment hand-arranging three index cards labelled Sources, Drafts and Concepts beside a half-closed laptop

Obsidian and Claude: The AI-assisted knowledge system in practice

Three integration paths, documented productivity gains and real security limits

Obsidian and Claude are sold in 2026 as the blueprint for a second brain. Pair them and you build a local, searchable, write-capable knowledge system. Here is what the three established integration paths actually deliver, where the productivity gains are documented, and where the architecture hits real limits, from token ceilings to the April OX RCE flaw.

Summary

Obsidian counts an estimated 1 to 1.5 million users worldwide, has more than 1,000 active plugins and around 2 million US dollars in 2025 revenue from an 18-person team. Three productive integration paths with Claude are established in 2026: the mcp-obsidian repository by Markus Pfundstein with 3,600 stars over the Local REST API, the obsidian-claude-code-mcp plugin by iansinnott with a dual WebSocket and HTTP/SSE architecture, and Claude Code running directly inside the vault directory without MCP. Smart Connections, with over 5,000 stars, remains the most adopted AI plugin and ships local embeddings. Field reports show 2,000-word drafts in 90 minutes and link repair in a 12-million-word vault under 10 minutes, alongside performance limits beyond 4,000 notes and an MCP RCE flaw disclosed by OX Security in April 2026 that, according to the firm, affects 150 million downloads.

1M+
Estimated Obsidian users worldwide (2026)
3,600
GitHub stars mcp-obsidian (Pfundstein)
5,000+
GitHub stars Smart Connections
150M
Downloads affected by MCP security flaw

What Obsidian and Claude deliver together

Obsidian is a local Markdown notes application with more than one million users worldwide. Claude is Anthropic's language model family. Pair them and you build a searchable, write-capable knowledge system on your own machine, with Markdown files as the source of truth. The promise of a second brain meets a mature toolchain in 2026, but it also meets real security and performance limits.

Model Context Protocol (MCP) is an open protocol from Anthropic that gives language models access to external tools such as file systems, APIs or databases. In the Obsidian context, an MCP server opens the vault to Claude and makes notes readable, searchable and writable.

Three building blocks make the workflow attractive. First, Obsidian stores all notes as plain Markdown files in a local folder, the vault. Second, Claude can reach those files through three paths without sending data to any cloud sync service. Third, a lively plugin ecosystem with more than 1,000 active extensions covers most of the detail problems already.

  • 70,000 members in the official Discord, 35,000 forum users (source: t3n)
  • Around 2 million US dollars annual revenue in 2025, bootstrapped, 18-person team (source: Fueler.io)
  • Anthropic is, alongside local models via Smart Connections, the most frequently connected LLM provider for this workflow
Architecture

Three paths to connect Obsidian with Claude

Three established integration paths exist in 2026. The choice depends on whether you use the Claude Desktop app, the Claude Code CLI, or a plugin inside Obsidian. All three keep the Markdown files local but differ in capability and risk profile.

Path Tool Prerequisite Write access
MCP via Local REST API mcp-obsidian (Pfundstein, 3,600 stars) Local REST API plugin in Obsidian, API key, entry in claude_desktop_config.json Seven tools, from list_files to delete_file
Obsidian Claude Code MCP iansinnott plugin (279 stars) Plugin install, auto-discovery on port 22360 WebSocket for Claude Code, HTTP/SSE for Claude Desktop
Claude Code in the vault Claude Code CLI Start Claude Code inside the vault directory Direct file system access, no extra plugin
Developer at a desk with a laptop showing a terminal with MCP server logs alongside a Markdown editor displaying a vault folder tree
Test setup of an MCP server next to the open vault, with the port number 27124 noted on the palm rest.

The simplest variant is to launch Claude Code directly in the vault , with no MCP at all. Claude Code reads Markdown files via the file system without an API key or extra plugin. If you work with Claude Desktop or other MCP-capable clients, an MCP server is unavoidable. Both server options have active communities and ship under MIT or plugin-friendly licences.

What the seven tools of mcp-obsidian deliver: list_files_in_vault, list_files_in_dir, get_file_contents, search, patch_content, append_content, delete_file. With these you read, search, append and patch notes against headings.

Smart Connections as a complementary layer

Smart Connections, with over 5,000 GitHub stars, is the most adopted AI plugin for Obsidian and works alongside the MCP paths. It builds embeddings locally with the BGE-micro-v2 model (384 dimensions) and supplies the semantic search layer the simple MCP tools lack. The Connections view shows related notes while you write, the Lookup view enables meaning-based search across the entire vault.

Key takeaway

Smart Connections is the only variant that can keep the vault entirely local. Once you connect the chat function to Claude or any other cloud API, that locality breaks. Anyone handling GDPR-relevant content should draw this line consciously.

Smart Chat Pro is the standalone sister plugin that handles multi-provider routing to over 100 cloud APIs including Claude, Gemini, ChatGPT and Llama 3. Using Smart Connections for local search and Claude for writing combines the local-embedding advantage with the cloud-model advantage in a single workflow.

Practice

What actually happens in practice

Users report concrete productivity gains, but not everywhere. The documented workflows show a sober pattern: the combination is strong on structural work, weaker on creative original output.

2,000
Word draft in 90 minutes
12M
Word vault, link repair under 10 minutes
4,000+
Notes, where token limits become noticeable

A field report from haihai.ai shows a 2,000-word draft in 90 minutes, explicitly described as AI assisted, not AI generated. Voice dictation through SuperWhisper produces the raw input, Claude trims redundancy while keeping the author's voice. The workflow is not the model, it is the tight coupling of capture, vault and editor.

Author Eleanor Konik reports similar patterns from a 12-million-word vault. Link repair, reformatting old daily notes and folder renames are done in under ten minutes. Notably she uses Claude less as a writing assistant and more as a bulk operator. The three faces of Claude play together here, each addressing the layer where the task sits.

  • Research consolidation: Claude pulls relevant notes from the vault and produces source-cited reports inside the vault
  • Bulk operations: reformatting, link repair, folder renames
  • Topical search: meaning-based queries such as "newsletters about fatherhood" return matches where classic full-text search produces only noise

European perspective and privacy

The local architecture is the central argument in the GDPR context. Notes sit physically on the user's machine, not in a cloud. As soon as Claude processes content, however, that content leaves the local machine and arrives at Anthropic. That is the meaningful difference compared with a pure Smart Connections setup running local models.

Locally controllable
Markdown files stay physically on the device
No vendor lock-in, every Markdown tool can read them
Fully versionable and backupable through Git
Smart Connections with local embeddings has no cloud component
What goes to Anthropic
Content of every note loaded during the active prompt
Search queries, file paths and vault structure
Attachments or code that you deliberately share
With write access: later responses that modify notes

For business use the Anthropic terms apply, and Enterprise accounts come with a GDPR-aligned data processing agreement. If you keep client files, personnel data or trade secrets in your vault, those data classes need to be excluded from Claude's reach explicitly, either via a separate vault or via folder exclusions in the MCP server configuration.

Risks

Challenges and risks

Three risks are documented in 2026 and should be weighed before productive use. They lie not in the second-brain idea, but in the access implementation.

MCP security flaw April 2026: OX Security disclosed an architectural RCE flaw in the Model Context Protocol that, according to the firm, affects 150 million downloads, with up to 200,000 vulnerable instances worldwide. Recommended: only signed servers, sandbox execution, validation of external configuration input, and no public IP exposure.

  • Plugin supply-chain risks: The popular obsidian-mcp-tools project is no longer maintained, with the maintainer citing risks from distributed executables. Plugins can carry broader permissions than their code suggests.
  • Whole-vault visibility: When Claude has access to the entire vault, the model can see whatever lands in the context, including private journals, client files or password notes.
  • Performance with large vaults: Token limits begin around 4,000 notes, response times reach 5 to 10 minutes, API costs rise.
  • Maturity reality: Experienced users on the Obsidian forum do not run MCP permanently in their main vaults but keep separate test vaults. The consensus describes MCP as "interesting to explore" but "not yet transformative for everyday workflows".

What organisations should do now

Connecting Obsidian and Claude is not productive because it is technically elegant. It is productive when there is a clear use case and the risk profile is understood. Recommendation in five steps.

Knowledge management lead and IT security officer at a meeting table comparing a two-column data classification sheet for a standard vault and a client vault
Data classification before vault architecture: which content can be shared with Claude, which cannot.

  1. Use case before architecture

    Which concrete task should the workflow solve? Research consolidation, drafting acceleration, link maintenance or knowledge base build-up? Without a clear use case, the setup remains a toy.

  2. Test vault first

    Never connect the main vault with the first integration. Separate vault, separate branch, backup before every step that grants write access. Migrate to the main vault only after four to six weeks of stable testing.

  3. Decide write access deliberately

    A read-only configuration is the safer entry point. Grant write access only after Git versioning is in place and use cases are validated. In the MCP server, deliberately do not expose delete_file and patch_content.

  4. Data classification before vault build

    Define which data classes are allowed inside the Claude-accessible vault. Keep client files, personnel data and trade secrets separate. For consultancies and law firms a client vault must be kept apart by default.

  5. Monitoring and audit

    For productive use keep MCP call logs and follow the OX Security recommendations: sandbox, only verified servers, no public IP exposure. For plugins: install from signed sources, run regular updates, and check maintainer activity.

Anyone working with Claude Skills can structure the vault workflow further. A skill that has read-only access to specific vault folders is safer than a generic MCP server with all tools enabled. That, too, is a form of data classification, just in the tool layer.

Further Reading

The Three Faces of Claude: Web, Desktop, CLI Building Skills for Claude: Complete Guide 2026 Claude Skills: Function, Practice and Security AI Coding Tools Pricing Shift 2026: End of the Flat Rate GitHub: mcp-obsidian (MarkusPfundstein) GitHub: obsidian-claude-code-mcp (iansinnott) GitHub: Obsidian Smart Connections The Hacker News: Anthropic MCP Design Vulnerability (April 2026)

Frequently Asked Questions

What is the simplest way to connect Obsidian with Claude? +

The simplest way is to start Claude Code directly inside the vault directory. Claude Code reads Markdown files via the file system, with no MCP server, no plugin and no API key. For Claude Desktop the easiest path is the obsidian-claude-code-mcp plugin by iansinnott, which auto-discovers on port 22360.

Is Obsidian with Claude GDPR-compliant? +

The Markdown files themselves stay on your machine and remain under your control. As soon as Claude processes content, however, that content reaches Anthropic. For business use the Anthropic terms apply, and Enterprise accounts ship with a GDPR-aligned data processing agreement. Personal data or client files do not belong unfiltered in a vault that is shared with Claude.

Which MCP server for Obsidian is best? +

There is no single best server, but three with different focus. mcp-obsidian by Markus Pfundstein has the most stars (3,600) and works through the Local REST API plugin with seven tools. obsidian-claude-code-mcp by iansinnott serves Claude Code via WebSocket and Claude Desktop via HTTP/SSE. Smart Connections is not a classic MCP server but offers local embeddings and semantic search with over 5,000 stars.

How do I protect my vault from accidental changes by Claude? +

The most important safeguard is Git. Version the vault and snapshot before each new integration. Begin with a read-only setup or a separate test vault. Grant write access only after the use cases are stable and backups run. In the MCP server you can disable delete_file and patch_content selectively by simply not exposing those tools.

What is the MCP security flaw from April 2026? +

Security research firm OX Security disclosed an architectural Remote Code Execution flaw in the Model Context Protocol in April 2026. According to OX, 150 million downloads are affected, with up to 200,000 vulnerable instances. Recommended mitigations are sandbox execution, validation of external configuration input, no public IP exposure, and only running verified servers.

How many notes does the Obsidian-Claude workflow handle? +

Up to roughly 4,000 notes the setup runs smoothly in most reports. Beyond that, token limits appear and individual prompts take 5 to 10 minutes. Eleanor Konik reports from a 12-million-word vault that bulk tasks like link repair still finish in under ten minutes. With a very large vault, restrict the Claude-accessible region to specific subfolders or move it into a separate vault.