Back to skill
Skillv1.0.0
VirusTotal security
Obsidian Official CLI Headless · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:59 AM
- Hash
- 2c9bae10848f16b33b7b91512a506f02ed7fa24fa1df45b99c18e716a3c3bebb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: obsidian-official-cli-headless Version: 1.0.0 The skill bundle performs high-risk system modifications, including running scripts as root, downloading an external binary from GitHub (obsidian-releases), and modifying permissions on the '/root' directory using ACLs to allow a non-root user traversal access. Additionally, the wrapper script creation in 'scripts/configure_official_cli.sh' is vulnerable to command injection because the 'VAULT_PATH' variable is placed directly into a shell command string within a heredoc without sufficient sanitization, allowing potentially malicious vault paths to execute arbitrary commands when the wrapper is invoked.
- External report
- View on VirusTotal