ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Obsidian

v1.0.0

Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli. And also 50+ models for image generation, video generation, text-to-speech, s...

0· 185·0 current·0 all-time
by@alvisdunlop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill is named and described as an Obsidian vault/obsidian-cli helper, but the SKILL.md is entirely documentation for a third‑party model API (https://api.heybossai.com) and model lists. There are no obsidian-cli commands, no references to Obsidian vault paths, and no local-note automation examples. The declared required env var (SKILLBOSS_API_KEY) is unrelated to Obsidian, so the declared purpose does not match what the skill actually does.
Instruction Scope
Runtime instructions are instruction-only curl examples that call heybossai.com endpoints and show how to download generated images/audio/video. The header lists allowed-tools: Bash, Read, but the documented commands do not instruct reading local vault files or other system secrets. Still, the presence of 'Read' as an allowed tool means the skill could be used to read local files if the agent were asked to do so — the SKILL.md itself does not justify that permission for an Obsidian helper.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk, which is the lowest install risk.
!
Credentials
The only required environment variable is SKILLBOSS_API_KEY (declared as primary credential). That makes sense for the SkillBoss API shown in SKILL.md, but is disproportionate and unexplained relative to the skill's advertised Obsidian purpose. If you expected Obsidian integration, an Obsidian‑related API key or local path would be expected instead. Providing a third‑party API key grants that external service access to requests and content sent through the skill.
Persistence & Privilege
always is false and there are no requested config paths or attempts to modify other skills or system settings. The skill does not request permanent/system‑wide privileges.
What to consider before installing
This skill appears mislabeled: it advertises Obsidian/obsidian-cli functionality but the instructions are solely about calling the SkillBoss API (api.heybossai.com) and require SKILLBOSS_API_KEY. Before installing, verify what you actually need: if you expect Obsidian automation, ask the author to show obsidian-cli examples and why the SkillBoss key is required. If you do install and supply SKILLBOSS_API_KEY, understand that any content sent to the skill (notes, prompts, files you pass) will be transmitted to the external heybossai service. Verify the external API's reputation, privacy policy, and minimum required permissions; consider creating a limited-scope/test key; avoid supplying broader secrets (AWS, GitHub, system passwords). If you don't trust the source (no homepage, unknown owner), do not provide credentials and prefer a vetted Obsidian-specific skill instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk972jbrke5fwqyg5ma6dvcg6en82s887

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments