ClawHub

Obsidian Tasknotes

v0.1.0

Manage tasks in Obsidian via TaskNotes plugin API. Use when user wants to create tasks, list tasks, query by status or project, update task status, delete tasks, or check what they need to do.

1· 1.6k·0 current·0 all-time
by@benoitjadinon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the code: the CLI talks to the TaskNotes HTTP API on localhost and exposes create/list/update/delete operations. However, the registry metadata declares no required environment variables while SKILL.md and the script instruct the user to place TASKNOTES_API_PORT and TASKNOTES_API_KEY in a .env at the vault root. That metadata mismatch is incoherent and should be corrected.
!
Instruction Scope
SKILL.md instructs only local HTTP API use (http://localhost:<port>/api) which is appropriate. The included script only issues requests to localhost. However, the script loads a .env file by computing VAULT_ROOT as SCRIPT_DIR.parent.parent.parent.parent and calling load_dotenv(VAULT_ROOT / '.env'). That upward traversal (four levels) is brittle and may end up reading a .env file outside the intended Obsidian vault depending on where the skill is installed, which expands scope beyond the described behavior.
Install Mechanism
This is an instruction-only skill with a small Python script. There is no install spec that downloads arbitrary code. The script declares Python dependencies (requests, python-dotenv) in its header which is reasonable for its purpose.
!
Credentials
The only secret the skill needs in practice is the TaskNotes API token (TASKNOTES_API_KEY) and an optional port variable. That is proportionate. But the registry lists no required env vars (metadata vs SKILL.md mismatch). Also, because the script will load a .env by walking up multiple directories, it may read unrelated secrets if a .env exists elsewhere — increase risk if that file contains other credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not write persistent installation state. It only runs a CLI script and makes local HTTP requests, so its requested level of presence/privilege is appropriate.
What to consider before installing
This skill appears to be a legitimate local TaskNotes client, but take a few precautions before installing: - Verify the registry metadata: the package claims no required env vars but SKILL.md and the script expect TASKNOTES_API_PORT and TASKNOTES_API_KEY in a .env — update or confirm the metadata if you control the registry entry. - Inspect where the skill will be stored and check what VAULT_ROOT resolves to in the script (SCRIPT_DIR.parent.parent.parent.parent). Ensure it will point to your Obsidian vault and not to another directory that contains a .env with unrelated secrets (AWS keys, tokens, etc.). - If you don't want any token stored, enable TaskNotes HTTP API with no auth (SKILL.md mentions leaving token empty) and avoid creating a .env. - Review the included script yourself (scripts/tasks.py) and confirm it only talks to http://localhost:<port> and does not send data externally. The script appears to only contact localhost and print results. - Run in a restricted environment or sandbox if you are unsure, and avoid putting high-value secrets in a .env file that could be picked up by this script. If these checks look good, the skill's behavior is coherent with its purpose. If you cannot verify the VAULT_ROOT path or the .env contents, do not install or run it with sensitive environment files present.

Like a lobster shell, security has layers — review code before you run it.

latestvk977gqcjp14hcajpwkx9gb7w4h809x2b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments