Craft API Skill and Obsidian Migration Tool
v1.0.0Integrate with Craft.do to automate tasks, create/manage documents and folders, edit markdown content, and migrate Obsidian vaults using their REST API.
⭐ 1· 1.8k·1 current·1 all-time
byAtom Tan Studio@atomtanstudio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/README advertise Craft API integration plus an Obsidian vault migration. That purpose would legitimately require an API key and access to the local Obsidian vault. However the registry metadata declares no required environment variables or config paths while SKILL.md explicitly instructs users to set CRAFT_API_KEY and CRAFT_ENDPOINT and the package contains multiple migration shell scripts. The mismatch between declared requirements and the actual instructions/files is incoherent.
Instruction Scope
SKILL.md contains curl examples that upload content to a remote Craft endpoint and promises a 'one-time full vault migration.' The included shell scripts (migrate-obsidian*.sh, cleanup-craft.sh, craft-api.sh) strongly imply filesystem traversal and bulk upload behavior. That means the skill's runtime behavior can read many local files (notes, attachments) and send them to an external service — a scope that should be explicit and justified but isn't in the metadata or permissions.
Install Mechanism
No install spec is provided (instruction-only). That lowers the risk of arbitrary remote code download during installation. However the skill still ships multiple executable shell scripts that the agent could run at runtime; there is no automated installer, so the scripts will execute in the agent environment if invoked.
Credentials
The registry lists no required env vars or primary credential, but SKILL.md requires CRAFT_API_KEY and CRAFT_ENDPOINT. That inconsistency means the manifest understates secrets needed. The skill will need (and asks for) a bearer API key that grants write access to your Craft account — a sensitive credential that should be declared explicitly and scoped to the minimum privileges.
Persistence & Privilege
No special 'always' flag is set, but disable-model-invocation is not set (model invocation is allowed by default). Allowing autonomous model invocation combined with scripts that can read and upload entire vaults and an API key is a notable risk: the skill could be triggered by the model and perform data transfer without an explicit user action unless model invocation is disabled.
What to consider before installing
Do not install blindly. Before using: (1) Inspect the migrate-obsidian*.sh, craft-api.sh, and cleanup scripts line-by-line to confirm exactly which files/paths are read and uploaded; (2) Only provide a Craft API key with the minimum required scope and consider creating a dedicated/limited account for migration; (3) Prefer running the migration scripts manually in a sandboxed environment (not allowing the agent to run them autonomously); (4) Set disableModelInvocation=true or otherwise prevent autonomous invocation if you don't want the model to trigger uploads; (5) Verify the CRAFT_ENDPOINT value is the official Craft endpoint (avoid custom/personal servers); (6) Backup your vault before running and test on a small subset first. The inconsistencies between declared requirements and what the skill actually asks for are the main red flags.Like a lobster shell, security has layers — review code before you run it.
craftvk975dyvgxfdkvj7449xnbqf2nx80836jkanbanvk975dyvgxfdkvj7449xnbqf2nx80836jlatestvk975dyvgxfdkvj7449xnbqf2nx80836jnotetakingvk975dyvgxfdkvj7449xnbqf2nx80836jobsidianvk975dyvgxfdkvj7449xnbqf2nx80836j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.