ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Obsidian CLI

v2.0.0

Skill for the official Obsidian CLI (v1.12+). Complete vault automation including files, daily notes, search, tasks, tags, properties, links, bookmarks, base...

5· 2.8k·61 current·63 all-time
byArtur@adolago
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name and SKILL.md describe an Obsidian CLI integration (managing vaults, files, daily notes, search, tasks, etc.), which is coherent with the stated purpose. However, the registry metadata lists no required binaries or env vars while the runtime instructions explicitly require the obsidian binary in PATH and a running Obsidian 1.12+ instance. The missing metadata entry for this required binary and the lack of a known source/homepage are inconsistent and reduce confidence in provenance.
Instruction Scope
SKILL.md is an instruction-only runtime doc that tells the agent to run local obsidian CLI commands (read/create/append/delete/search tasks/tags). That scope is appropriate for a vault automation skill, but those commands legitimately read and modify local vault files and can output note contents. The instructions do not request unrelated system files, external endpoints, or secrets, but they do grant the agent the ability to read/write user notes — users should expect local data access.
Install Mechanism
No install specification and no code files are present (instruction-only), which minimizes installation risk — nothing will be downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables or credentials (appropriate). However, SKILL.md requires the obsidian binary and a running Obsidian instance (IPC) — this required runtime dependency is not reflected in the registry metadata, an inconsistency that should be corrected. No other credentials or unrelated env access are requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not declare persistent privileges or attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other strong red flags.
What to consider before installing
This skill appears to be a plain instruction set for using the Obsidian CLI and will run local obsidian commands that can read and modify your vault files. Before installing: 1) confirm you trust the publisher (source/homepage is missing here); 2) verify Obsidian 1.12+ and its CLI are installed and enabled (the SKILL.md requires the obsidian binary in PATH though the metadata omits that); 3) be comfortable with the agent having the ability to read/write your notes (sensitive data may be exposed); and 4) if you have concerns, restrict autonomous invocation or only enable the skill when needed. If you want higher assurance, ask the publisher to provide a source URL or repo and update the metadata to list the obsidian binary as a required dependency.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ej6z3ka8psshvbqp8e5pbys8174cq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments