ClawHub

Obsidian Viz

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill coherently generates local Obsidian diagram files from text or user-provided images, with no evidence of hidden code, exfiltration, or privileged behavior.

Use this for ordinary diagram generation, but avoid sending sensitive screenshots unless needed. Review generated files in the OpenClaw outputs folder before moving them into an Obsidian vault or sharing them, and prefer the ClawHub install path because the manual repository URL is only a placeholder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad generic terms such as 'visualize', 'diagram', and 'flowchart', which can cause the skill to activate in contexts where the user did not explicitly intend to invoke it. Over-broad activation increases the chance of unintended image analysis or file-generation behavior, which can expose user content or cause unwanted workspace modifications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises image understanding and generation of editable files but does not warn users that screenshots may contain sensitive information or that outputs will be written to disk. In a skill that processes user-supplied images and creates files in an Obsidian/OpenClaw workspace, missing privacy and filesystem disclosure materially increases the risk of inadvertent data exposure and unexpected side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to always write generated files to a fixed path under ~/.openclaw/workspace/outputs without mentioning overwrite checks, confirmation, or unique filename requirements. In an agent setting, this can lead to unintended file creation or clobbering of prior outputs, especially if filenames are derived from user input or reused across runs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal