v1.0.0

Obsidian Sync

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:15 AM.

Analysis

The skill appears to provide the stated Obsidian sync server, but it gives a token-protected service read/write access to notes and agent memory, which deserves careful review before installation.

GuidanceInstall only if you need Obsidian file sync. Use a dedicated random SYNC_TOKEN rather than a broad Gateway token, set SYNC_ALLOWED_PATHS=notes unless you intentionally want memory sync, keep the server bound to localhost unless remote exposure is necessary, review the external Obsidian plugin, and enable the systemd service only after you are comfortable with continuous background syncing.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/sync-server.mjs

const { content, expectedHash } = data; ... if (expectedHash) { ... } ... await fs.writeFile(validation.path, content, 'utf-8');

The write endpoint accepts arbitrary string content and only performs conflict detection when the client supplies expectedHash, so a token-bearing client can overwrite files in allowed paths without a mandatory version check.

User impactA compromised or over-permissive client could replace synced notes or memory files within the configured scope.

RecommendationRequire a revision check for overwrites, restrict writes to expected note file types, keep allowed paths narrow, and add audit or backup controls.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

systemctl --user enable --now openclaw-sync
loginctl enable-linger $USER  # Start on boot

The documentation includes a persistent user service that starts the sync server automatically.

User impactIf enabled, the sync server may continue accepting authenticated sync requests after the immediate task is finished.

RecommendationEnable the service only if continuous sync is needed, keep it bound to localhost where possible, and know how to disable it.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

Install the plugin via [BRAT](https://github.com/TfTHacker/obsidian42-brat) using: `AndyBold/obsidian-openclaw`

The main Obsidian-side client is an external BRAT-installed repository that is not included in the reviewed artifacts.

User impactUsing the companion plugin expands trust to external code that may handle vault files and tokens.

RecommendationReview the plugin repository, prefer pinned releases, and install it only if you trust its source and permissions.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

SYNC_TOKEN="your-gateway-token" node scripts/sync-server.mjs ... `SYNC_TOKEN` | (required) | Auth token (use Gateway token)

The documented bearer secret is a Gateway token rather than a clearly scoped sync-only token.

User impactIf the Gateway token has broader account or agent privileges, reusing it for sync increases the damage if the Obsidian plugin, local machine, or exposed endpoint leaks it.

RecommendationUse a dedicated random sync token with no broader account privileges, and declare the required token clearly in the skill metadata.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/sync-server.mjs

allowedPaths: (process.env.SYNC_ALLOWED_PATHS || 'notes,memory')... if (req.method === 'POST' && endpoint === '/sync/write') ... await fs.writeFile(validation.path, content, 'utf-8');

The default sync scope includes a directory named 'memory', and the write endpoint can create or overwrite files in allowed paths.

User impactAn authorized plugin or anyone with the sync token could read or change persistent notes/memory, which may expose private context or influence future agent behavior.

RecommendationDefault to syncing only a notes directory; make memory sync an explicit opt-in with clear warnings, separate scopes, backups, and review controls.