ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

git-backed-obsidian-cli-workflows

v1.0.0

Use the official Obsidian CLI for note workflows in a Git-backed vault, including search, read, links/backlinks-style queries, daily-note operations, and lig...

0· 177·0 current·0 all-time
by@darinrowe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with the included code and instructions. The Python wrapper and backup.sh implement conservative read/write workflows and a post-write git sync, which is coherent for a 'git-backed Obsidian CLI workflows' skill.
Instruction Scope
SKILL.md directs use of the official obs CLI for queries and the bundled scripts for deterministic write+sync behavior. This is appropriate, but the post-write backup runs git operations (fetch, add, commit, pull, push) which will cause network activity to the repository's configured remote and may transmit changed notes. This behavior is expected for git-backed sync but is material and should be reviewed by the user.
Install Mechanism
No install spec or external downloads; the skill is delivered with local scripts (Python and shell). No archives or remote installers are invoked by the bundle itself.
Credentials
The skill declares no required environment variables but the scripts read several optional ones (NOTES_VAULT_ROOT, NOTES_BACKUP_SCRIPT, NOTES_INBOX_NOTE, NOTES_OBS_CMD, NOTES_GIT_BRANCH). These are reasonable and proportional to the task, but the defaults (e.g., /root/obsidian-vault) should be checked to avoid accidental modification of unexpected paths. The skill does not request credentials explicitly but will use any existing Git credentials/config present in the environment to push to remotes.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills. It writes only to the configured vault path and runs a local backup script; no persistent platform-level changes are made by the bundle itself.
Assessment
This skill appears to do what it claims, but review a few things before installing: 1) Confirm NOTES_VAULT_ROOT (default: /root/obsidian-vault) to avoid accidental writes to an unexpected repository. 2) Inspect scripts/backup.sh so you understand which git remote/branch will be used—git push will transmit your notes using whatever Git credentials are configured. 3) Ensure the official obs CLI is installed and usable in the target environment (the wrapper falls back to direct file writes if not). 4) Run the wrapper in a non-privileged account or test environment first to verify behavior and remotes. If you need the skill to request or document specific env vars/credentials, ask the author to declare them explicitly in the skill metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk976t3xnd4nnqf8zkegmk3vvb182tj6n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments