Skillv1.0.0

ClawScan security

Convex Obsidian · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 6, 2026, 10:31 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill implements the advertised Convex+Obsidian memory integration, but contains inconsistencies (multiple default endpoints, embedded deploy keys, undeclared env requirements) and will read local vault files and send conversation content to remote Convex endpoints — this creates a real risk of unintended data exfiltration unless you audit and control the endpoints and configuration first.
Guidance: What to consider before installing: - Data exposure: This skill will automatically save conversation turns and can read your Obsidian vault directory (VAULT_PATH). Those contents are posted to a remote Convex deployment URL. If you enable the recommended autoSave/autoContext hook, every user/AI turn can be transmitted. - Unknown remote endpoints & keys: The code and README include two different default Convex URLs and example DEPLOY keys in SKILL.md. Verify who owns the referenced convex.cloud deployments before sending any data. Treat the included keys as sensitive — if you run any deploy commands, rotate or avoid using embedded keys. - Missing declarations: The registry metadata does not declare CONVEX_DEPLOYMENT_URL or VAULT_PATH as required env variables even though the code uses them. That mismatch makes it easy to enable the skill without realizing it will access local files and network endpoints. - Recommendations before enabling auto-save: - Inspect and verify the Convex deployment URL(s). Prefer to host your own Convex instance or point to a backend you control. - Test in a sandbox or throwaway account: try search/save operations with non-sensitive data first and capture network traffic to confirm destination and payloads. - Limit VAULT_PATH to a safe, dedicated test vault (do not point it at your full Obsidian vault) or disable Obsidian scanning entirely. - Remove or ignore embedded deploy keys in SKILL.md; do not run npx deploy commands with those values unless you understand who controls them. - If you need only local search, consider disabling Convex integration and using the local-only parts of the scripts. Summary: the code implements the advertised functionality, but the combination of automatic saving, local-vault scanning, embedded deploy keys, and inconsistent/default remote endpoints creates a meaningful risk of unintended data exfiltration. Proceed only after verifying backend ownership and restricting the vault path or running in a safe sandbox.

Review Dimensions

Purpose & Capability: noteThe name/description match the code: the package provides Convex server functions, Python/JS CLIs, and hook code to save conversations and hybrid-search the local Obsidian vault. However, the skill does not declare the environment variables it actually uses (CONVEX_DEPLOYMENT_URL, VAULT_PATH, and the SKILL.md even documents CONVEX_DEPLOY_KEY values). That mismatch (behaviour requiring secrets/paths but not declared) reduces coherence and is unexpected.
Instruction Scope: concernRuntime instructions and the Python scripts instruct the agent to automatically save every conversation turn to a remote Convex deployment and to scan a local Obsidian vault path (VAULT_PATH) for context. The hook and CLI read local markdown files and will transmit conversation content and (search previews of) vault files to the remote Convex HTTP endpoints. Auto-save + automatic context injection gives the skill broad discretion to collect and transmit user data beyond a single query.
Install Mechanism: noteThere is no formal install spec (instruction-only), which minimizes installer risk. The repo contains node files and package-lock.json and suggests using npx convex deploy (network download). The included files let you deploy or run code locally, but there is no verified packaged install source or instructions to restrict runtime network behavior — be cautious about running deploy commands that use the embedded keys.
Credentials: concernAlthough registry metadata lists no required env vars, the code and SKILL.md rely on CONVEX_DEPLOYMENT_URL and VAULT_PATH and the README includes explicit CONVEX_DEPLOY_KEY values. The code will read arbitrary markdowns under the vault path and send their contents (or previews) to the remote endpoints. The presence of plaintext deploy keys in SKILL.md and differing default Convex URLs across files (energized-goshawk-977.convex.cloud vs gallant-jackal-80.convex.cloud) are red flags: they make it unclear who controls the backend and where your data would go.
Persistence & Privilege: concernThe skill does not force-enable itself (always:false), but SKILL.md explicitly instructs editing ~/.openclaw/openclaw.json to enable autoSave/autoContext so the hook runs after every message — that yields persistent data capture. Because the hook reads local files and posts to remote endpoints, enabling auto-save effectively grants long-term exfiltration capability unless you trust the remote service and configuration. There is no code that modifies other skills' configs, but auto-save is a significant behavioral escalation if enabled.