ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Obsidian Official CLI Headless

v1.0.0

Install and adapt the official Obsidian CLI for headless Linux servers by using a non-root user, Xvfb virtual display, ACL-based vault access, and an obs wra...

0· 300·0 current·0 all-time
by@darinrowe
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The scripts implement exactly what the name/description promise: install the official Obsidian .deb, create a dedicated non-root user, provide an Xvfb-based wrapper, configure the official CLI JSON, and set ACLs for a vault (including vaults under /root). The workflow and required system changes are proportionate to the stated goal. Minor metadata omission: the package/script runtime expects utilities like apt-get, curl, setfacl, xvfb-run and realpath even though the registry metadata lists no required binaries.
Instruction Scope
SKILL.md and the scripts stay within the described scope: they instruct an admin to run the provided install/configure/verify scripts as root to enable a headless adaptation. The scripts read/write system paths (/usr/local/bin, /home/obsidian, /root) and write the wrapper and config files as intended. Note: the wrapper and configure scripts embed configured paths/usernames into a su -c command; these values are set at install time (root) but should be chosen carefully to avoid accidental injection-like issues.
Install Mechanism
Install uses apt-get to install dependencies and downloads the Obsidian .deb from the official GitHub releases URL (github.com/obsidianmd/obsidian-releases), then installs the .deb. This is an expected, traceable mechanism for installing the official desktop package on Debian-like systems; it requires root and will install system packages.
Credentials
The skill does not request secrets or service credentials (no AWS/third-party tokens). Scripts accept optional environment variables (OBSIDIAN_VERSION, OBSIDIAN_USER, WRAPPER_PATH, OBS_CMD) to customize behavior, but these env-vars are not declared in registry metadata — this is reasonable but should be documented for operators because changing them can alter install targets and runtime binaries.
Persistence & Privilege
The skill does not request 'always:true' or autonomous elevation, but it requires root to run and will create a system user, write a wrapper to /usr/local/bin, set ACLs (including traversal on /root), and install packages. Those are necessary for the stated goal but are high-privilege operations; the skill will persist on the system until removed.
Assessment
This skill appears to do what it says: adapt the official Obsidian desktop package for headless servers. Before installing, be aware it must be run as root and will: install system packages, download and install a .deb from GitHub releases, create a system user 'obsidian', write a wrapper to /usr/local/bin, and modify ACLs (possibly granting traversal on /root). Recommended steps: - Review the three scripts line-by-line (you were provided them) and confirm paths, usernames, and the DEB_URL before running. - Run first in an isolated VM or test host, not on production, to validate behavior. - If your vault is under /root, understand the ACL change: it will allow the obsidian user to traverse /root and read/write the vault. Consider moving the vault to a non-root path if that is a concern. - Note optional env vars (OBSIDIAN_VERSION, OBSIDIAN_USER, WRAPPER_PATH, OBS_CMD) can alter behavior — set them intentionally or leave defaults. - If you need stricter assurance, build the .deb from a pinned checksum or manually verify the downloaded release before apt installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975zdncpprc2m72z1tqqgss5h82v3nb
300downloads
0stars
1versions
Updated 1h ago
v1.0.0
MIT-0
@darinrowe
latest
Download

Obsidian Official CLI Headless

Treat the official Obsidian CLI as a desktop-first app adaptation problem, not a normal CLI install.

Core rules

  • Use this skill only for the official Obsidian CLI.
  • Assume headless Linux needs a dedicated non-root user, Xvfb, and a wrapper command.
  • Prefer ACLs over ownership changes when the vault lives under /root.
  • Prefer one target vault.
  • Keep the user away from su - obsidian and display details by exposing /usr/local/bin/obs.

Fast path

  1. Confirm the vault path. Default to /root/obsidian-vault only if the user does not specify another path.
  2. Run scripts/install_official_obsidian.sh as root.
  3. Run scripts/configure_official_cli.sh <vault_path> as root.
  4. Run scripts/verify_official_cli.sh [vault_path].
  5. Report the wrapper path, active vault, verified commands, and remaining caveats.

What this skill owns

  • Official Obsidian .deb install
  • Headless runtime dependencies needed for field use
  • Dedicated obsidian user
  • Official CLI enablement via ~/.config/obsidian/obsidian.json
  • Vault access via ACLs
  • /usr/local/bin/obs wrapper
  • Verification of help, vault, daily:path, daily:append, daily:read, and search

What not to do

  • Do not use this skill for notesmd-cli or lightweight markdown-only workflows.
  • Do not expand into plugins, sync setup, theme tuning, or full desktop environment work unless the user explicitly asks.
  • Do not broaden permissions more than needed.

Wrapper model

The wrapper should effectively run:

su - obsidian -c 'cd <vault> && xvfb-run -a /usr/bin/obsidian --disable-gpu ...'

That is the stable operating model on a headless host.

Verification commands

Use at minimum:

obs help
obs vault
obs daily:path
obs daily:append content="skill verification"
obs daily:read
obs search query="skill verification"

References

  • Read references/architecture.md when you need the rationale for non-root user, Xvfb, ACLs, or wrapper design.
  • Read references/troubleshooting.md when the install works partially but CLI behavior still fails.

Report format

Keep the result short:

  • installed version
  • wrapper path
  • active vault path
  • verified commands
  • remaining limits

Comments

Loading comments...