ClawHub

Obsidian Ontology Sync

Security checks across malware telemetry and agentic risk

Overview

This is a local Obsidian-to-ontology sync skill that matches its stated purpose, but its generated graph and reports may contain sensitive personal and business information.

Before installing or running, edit config.yaml to point only at the vault folders you intend to process, run the first extraction with --dry-run, and review the generated graph and feedback files. Store graph.jsonl and feedback reports securely because they can centralize contact details, team relationships, business context, and behavioral notes. Enable cron only after confirming the paths, output location, and retention expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document first frames writes as append-only updates to the ontology, but later introduces bidirectional sync that can modify source Obsidian notes directly. This inconsistency can cause users to trust the skill as non-destructive when it actually has source-modification behavior, increasing the risk of unintended data alteration or corruption.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script embeds absolute personal filesystem paths for specific users and environments, which can disclose sensitive host layout details and cause the tool to operate on unintended personal data when run without explicit configuration. In a skill intended for reuse or automation via cron, these defaults increase the chance of unauthorized or accidental processing of a private PKM vault.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The default configuration is pre-targeted at personal notes, contacts, clients, team, and daily-status directories under /root/life/pkm, going beyond generic ontology sync behavior and steering the tool toward sensitive personal and professional data collection. In this skill context, that makes the behavior more dangerous because the skill is explicitly designed to run unattended on a schedule, so accidental surveillance-like ingestion can happen without deliberate user selection.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README exposes broad operational phrases like syncing notes, updating the ontology graph, and checking note structure without defining clear invocation constraints, required inputs, authorization boundaries, or safe operating conditions. For a skill that performs bidirectional synchronization and automated extraction on user knowledge bases, this ambiguity can lead to overbroad execution, unintended data modification, or unsafe automation when triggered by an agent or scheduler.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is designed to automatically extract and persist sensitive personal and workplace data such as emails, phones, behavioral patterns, reporting lines, and response patterns into a machine-queryable graph. Without a clear privacy warning, retention policy, or consent guidance, users may unknowingly centralize sensitive data in a way that increases exposure, misuse, and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cron configuration enables unattended recurring scans, analysis, and report generation over user notes and team data. Presenting this automation without strong warnings about continuous background processing, output locations, and possible propagation of sensitive content into derived reports increases the chance of silent overcollection and unexpected file creation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The extractor parses and persists personal contact attributes such as email, phone, employer, and project associations into an ontology file without consent checks, minimization, or any explicit warning that sensitive data is being transformed and stored. This creates privacy and confidentiality risk, especially because relationship inference can amplify the sensitivity of otherwise ordinary note content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The feedback routine writes derived reports listing missing personal information and organizational relationship insights back into the vault, creating a secondary sensitive artifact that may be more revealing than the original notes. Because this output is automatically generated and stored on disk, it can expose inferred social graphs and data-quality gaps to anyone with access to the vault or synced devices.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal