ClawHub

Obsidian Openclaw Sync

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local/iCloud symlink setup helper, with the main risk being accidental OpenClaw config replacement if users run overwrite or no-confirm options.

Install only if you want OpenClaw config, skills, media, projects, team files, and workspaces linked to an iCloud Obsidian vault. Run status first, avoid --no-confirm until you have verified the vault index and paths, and back up any local openclaw.json before using --overwrite.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises destructive behaviors such as overwriting `openclaw.json` and removing symlinks, but it does not prominently warn users that local configuration may be replaced or disconnected. In a sync/setup workflow, ambiguous wording can cause accidental loss of local state or unintended re-pointing of files, especially when combined with automation flags.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
# Setup with overwrite (replace local openclaw.json with iCloud symlink)
/obsidian-openclaw-sync setup --overwrite

# Setup without confirmation prompt (auto-confirm)
/obsidian-openclaw-sync setup --no-confirm

# Setup specific vault without prompts
Confidence
84% confidence
Finding
without confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|--------|-------|-------------|
| `--vault N` | `-v N` | Pre-select vault by index (default: interactive) |
| `--overwrite` | `-w` | Overwrite local `openclaw.json` with symlink to iCloud version |
| `--no-confirm` | `-y` | Skip confirmation prompt (auto-confirm) |

## Examples
Confidence
92% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|--------|-------|-------------|
| `--vault N` | `-v N` | Pre-select vault by index (default: interactive) |
| `--overwrite` | `-w` | Overwrite local `openclaw.json` with symlink to iCloud version |
| `--no-confirm` | `-y` | Skip confirmation prompt (auto-confirm) |

## Examples
Confidence
92% confidence
Finding
auto-confirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
# Setup with overwrite (replace local openclaw.json with iCloud symlink)
/obsidian-openclaw-sync setup --overwrite

# Setup without confirmation prompt (auto-confirm)
/obsidian-openclaw-sync setup --no-confirm

# Setup specific vault without prompts
Confidence
84% confidence
Finding
auto-confirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|--------|-------|-------------|
| `--vault N` | `-v N` | Pre-select vault by index (default: interactive) |
| `--overwrite` | `-w` | Overwrite local `openclaw.json` with symlink to iCloud version |
| `--no-confirm` | `-y` | Skip confirmation prompt (auto-confirm) |

## Examples
Confidence
92% confidence
Finding
--no-confirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
/obsidian-openclaw-sync setup --overwrite

# Setup without confirmation prompt (auto-confirm)
/obsidian-openclaw-sync setup --no-confirm

# Setup specific vault without prompts
/obsidian-openclaw-sync setup --vault 1 --no-confirm
Confidence
92% confidence
Finding
--no-confirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
/obsidian-openclaw-sync setup --no-confirm

# Setup specific vault without prompts
/obsidian-openclaw-sync setup --vault 1 --no-confirm

# List and remove local symlinks
/obsidian-openclaw-sync unset
Confidence
94% confidence
Finding
--no-confirm

Tool Parameter Abuse

High
Category
Tool Misuse
Content
|--------|-------|-------------|
| `--vault N` | `-v N` | Pre-select vault by index (default: interactive) |
| `--overwrite` | `-w` | Overwrite local `openclaw.json` with symlink to iCloud version |
| `--no-confirm` | `-y` | Skip confirmation prompt (auto-confirm) |

## Examples
Confidence
91% confidence
Finding
--no-confirm

Tool Parameter Abuse

High
Category
Tool Misuse
Content
/obsidian-openclaw-sync setup --overwrite

# Setup without confirmation prompt (auto-confirm)
/obsidian-openclaw-sync setup --no-confirm

# Setup specific vault without prompts
/obsidian-openclaw-sync setup --vault 1 --no-confirm
Confidence
90% confidence
Finding
--no-confirm

Tool Parameter Abuse

High
Category
Tool Misuse
Content
/obsidian-openclaw-sync setup --no-confirm

# Setup specific vault without prompts
/obsidian-openclaw-sync setup --vault 1 --no-confirm

# List and remove local symlinks
/obsidian-openclaw-sync unset
Confidence
93% confidence
Finding
--no-confirm

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal