Obsidian Official CLI
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: obsidian-cli-official Version: 4.0.2 The bundle provides a comprehensive wrapper for the Obsidian CLI, including high-risk commands such as 'obsidian eval' (arbitrary JavaScript execution) and 'devtools' (Electron developer tools access) documented in SKILL.md. While these are features of the official Obsidian CLI, they represent a significant attack surface for prompt injection. Additionally, the bundle contains non-standard internal development logs and LLM-generated verification reports (e.g., final-decision-report.md, project-completion-report.md) which, while not explicitly malicious, are unusual artifacts in a production skill bundle.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could change or delete notes, alter vault organization, or publish changed content if instructed or if it misinterprets a task.
The skill explicitly enables automatic agent control of the vault and documents destructive and publishing-capable commands. This is purpose-aligned, but the artifacts do not define approval, rollback, or scope limits for high-impact actions.
Your AI assistant can now read, write, and organize your Obsidian vault automatically. ... obsidian delete file="Old Note" ... obsidian publish:add changed
Use this skill with explicit rules that require confirmation before delete, bulk edit, publish, plugin/theme/workspace, or other irreversible actions.
If used carelessly, the agent could run arbitrary Obsidian JavaScript that reads or modifies many notes or changes app state.
The documented eval command can run JavaScript inside Obsidian, which is an escape-hatch capability beyond safer scoped note operations. The artifacts do not restrict it to read-only code or require explicit user approval.
obsidian eval code="app.vault.getFiles().length" # Run JavaScript
Do not allow `obsidian eval` unless you specifically request it and understand the code to be run; maintain a backup before allowing developer commands.
Private notes may be exposed to the assistant during tasks, and malicious or misleading text stored in notes could influence the assistant's behavior.
The skill can read and search vault content, which is expected for Obsidian automation, but vault notes may contain private information or prompt-like text that enters the agent's context.
obsidian read file="Recipe" obsidian search query="meeting"
Limit searches/reads to relevant vaults or folders, avoid using it on highly sensitive notes unless needed, and treat note contents as untrusted context.
Installing from an unverified third-party tap could run code or install files outside the reviewed skill artifacts.
The skill itself has no install spec that runs this, but the documentation suggests an optional third-party Homebrew tap while the registry source is listed as unknown.
brew tap alexanderkinging/tap brew install obsidian-cli-official
Prefer the official Obsidian app/CLI and verify any Homebrew tap or GitHub source before installing external wrappers.
A user or agent could over-trust the skill because of self-authored approval language.
The package includes self-approval and no-risk claims. These are not independent security assurances and should not override the actual artifact review.
✅ **通过验证,批准发布** ... ✅ 无风险因素 ... **置信度:** 100%
Treat bundled approval reports as author notes only, not as platform or independent security validation.