Craft API Skill and Obsidian Migration Tool
WarnAudited by ClawScan on May 10, 2026.
Overview
The Craft integration is mostly purpose-aligned, but it includes a cleanup script that can wipe all Craft documents and user-created folders, and its migration scripts upload an entire selected Obsidian vault to Craft.
Install only if you are comfortable granting a Craft API key and copying selected vault contents into Craft. Back up your Craft space first, verify the endpoint is the official Craft API link, and avoid running cleanup-craft.sh unless you intentionally want to clear the whole space or have narrowed the script to migration-created items.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the cleanup script can clear a Craft space by moving all documents to trash and deleting all user-created folders.
The cleanup script is intentionally broad and later enumerates documents and folders for DELETE API calls, so it can affect unrelated Craft content rather than only migration-created data.
This will delete ALL user-created folders and move ALL documents to trash.
Do not run the cleanup script unless the Craft space is backed up or dedicated to this migration; safer versions should preview affected items and restrict deletion to a named migration root or recorded item list.
Private notes, secrets, or sensitive markdown in the selected Obsidian vault could be copied into Craft.
The migration script reads local markdown file contents from the supplied vault path and posts them into Craft document blocks, creating persistent copies in the Craft account.
local content=$(cat "$file_path" | jq -Rs .)
Review the vault before migrating, exclude private or secret files, and test with a small folder first.
Anyone or any process with the API key can perform actions allowed by that Craft API link.
The skill requires a Craft bearer API key for the intended integration, giving the scripts delegated access to create, read, update, move, and delete Craft account content.
export CRAFT_API_KEY="pdk_xxx"
Store the API key securely, use the least-privileged Craft API link available, verify CRAFT_ENDPOINT points to Craft, and revoke the key if it is exposed.
Users may not see the credential and local tool requirements before trying the skill.
The registry metadata under-declares expected setup requirements even though the scripts require CRAFT_API_KEY, CRAFT_ENDPOINT, curl, and jq.
Required binaries: none; Required env vars: none; Primary credential: none
Declare CRAFT_API_KEY, CRAFT_ENDPOINT, curl, and jq in the skill metadata so users understand the required access and dependencies.