Last week a story made the rounds about an Obsidian plugin being abused to deploy a remote access trojan against finance and crypto professionals. The attack itself was fairly involved — a malicious shared vault, social engineering, multiple confirmation dialogs bypassed — but one detail stuck with us. The victims were sharing documents with people they didn't fully know, and the attack surface was the collaborative, shareable nature of the tool itself.
We build mdview.io, a markdown viewer designed specifically for sharing documents like RFCs, design docs, and technical proposals. Our users are engineers. And engineers, when they're drafting fast, do things like paste a database connection string into a doc to illustrate an example, write api_key=sk-abc123... in a configuration walkthrough, or reference http://postgres.prod-db.internal while describing an architecture decision. Then they hit share.
We've seen it happen. Probably more than we know.
So we built Pre-Share Check.
What it does
Pre-Share Check is a one-click audit that runs entirely in your browser before you share a document. No API calls. No data leaving your machine. Instant results.
It scans your markdown across three severity levels. High severity catches the things that would genuinely ruin your day: AWS access keys, GitHub tokens, private key blocks, API key assignments, Google API keys. The patterns are tight enough to avoid false positives on fictional examples while catching anything that looks like a real credential. Medium severity flags internal infrastructure references — private IP ranges, internal domains ending in .corp or .internal, references to staging environments, and tooling domains like Grafana, Kibana, Jira, or Confluence that almost certainly shouldn't appear in a public document. Low severity handles hygiene issues: external image embeds that ping third-party servers when your document loads, raw HTML that might behave unexpectedly, TODO and placeholder phrases you forgot to fill in, and invisible Unicode characters that occasionally sneak in from copy-paste.
When you click the Check button in the viewer rail, a dialog opens with findings grouped by severity. If nothing is found, it tells you that clearly. If something is found, each category is labeled — HIGH in red, MEDIUM in amber, LOW in grey — with a plain-English description of what triggered it. No jargon, no false drama. Think of it as a review checklist, not a security scanner.
Why client-side matters here
The obvious question is why we didn't just run this server-side, where we could do more sophisticated analysis. The answer is that the thing you're trying to protect — credentials, internal URLs, infrastructure details — is exactly what you don't want to send to a server to be analyzed. A tool that uploads your secrets to check whether they're secrets defeats the entire purpose. Running the check locally means the document never leaves your browser until you decide it should.
What it doesn't replace
Pre-Share Check is not a substitute for secret scanning in your CI pipeline, a secrets manager, or proper credential rotation hygiene. If a real API key ends up in a public document, the right response is to rotate it immediately, not to feel reassured that the checker caught it first. The tool is designed for the moment just before you click share, when you want a quick second pair of eyes on something you wrote in a hurry.
The Obsidian story was a reminder that sharing documents is a trust moment. We'd rather give you one more second to pause before that moment than have you discover the problem afterward.
Pre-Share Check is available now on mdview.io.