Obsidian Daily
Security checks across malware telemetry and agentic risk
Overview
This instruction-only skill transparently uses obsidian-cli to manage Obsidian daily notes, but users should remember it can read/search and append content in the selected vault.
Before installing, verify obsidian-cli is installed from a trusted source and confirm which Obsidian vault is set as default. Use the skill only for notes you are comfortable letting the agent read or modify, and review requested append text before writing it. The provided artifacts do not show credential use, hidden network transfer, deletion, or background execution.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with the wrong vault, date, or entry text, the agent could add unwanted content to an Obsidian note.
The skill documents commands that persist a default vault and append content to a daily note. This is expected for the stated purpose, but it does modify local user files.
obsidian-cli set-default "VAULT_NAME" ... obsidian-cli daily && obsidian-cli create "$(date +%Y-%m-%d).md" --content "$(printf '\n%s' "ENTRY_TEXT")" --append
Confirm the configured vault and review the text to be appended before asking the skill to write notes; keep normal Obsidian backups or version history if the vault is important.
Private journal entries, work notes, tasks, or links could be surfaced to the agent when reading or searching the vault.
The skill can print and search Obsidian vault content, which may place private notes into the agent's working context. This is purpose-aligned but sensitive.
obsidian-cli print "2025-01-10.md" ... obsidian-cli search-content "TERM"
Only request reads or searches for notes you are comfortable sharing in the conversation, and use specific dates or terms rather than broad searches when possible.
A user could install the wrong or untrusted obsidian-cli package, or the malformed frontmatter could make the skill metadata confusing.
The skill depends on an external CLI that is not packaged or pinned here, and the frontmatter contains unresolved merge-conflict markers. This is a provenance and quality-control gap, not evidence of malicious behavior.
Requires obsidian-cli installed via Homebrew (Mac/Linux) or Scoop (Windows). <<<<<<< Updated upstream metadata: author: github.com/bastos version: "2.0" ======= >>>>>>> Stashed changes
Install obsidian-cli only from a trusted source, verify the command works as expected, and prefer a cleaned-up skill version without merge-conflict markers.