ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Obsidian Cloudflare Pages

v0.1.0

Publish selected Obsidian markdown from a vault to a static site and deploy to Cloudflare Pages.

1· 379·2 current·2 all-time
byDavid O.@davidyoh
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (publish Obsidian/Markdown to Cloudflare Pages) align with the included CLI (bin/publishmd-cf.js), README, and SKILL.md. Required binaries and env vars described in the docs (node, rsync, npm, npx, quartz, wrangler, CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID) are exactly what a Cloudflare Pages deployer + static-site builder would need.
Instruction Scope
Instructions and the CLI operate within the publishing workflow (init, wizard, sync, build, deploy). The script intentionally reads an Obsidian config file (~/Library/Application Support/obsidian/obsidian.json) to detect vaults — this is consistent with its purpose but is macOS-specific. The sync step runs destructive commands (rm -rf "<dest>"/* and rsync into the workspace) and the README/SKILL.md explicitly warn that a fallback bootstrap may clear files in the configured workspace. These destructive operations are expected for a sync/deploy tool but mean you should point the skill at a dedicated/test workspace and review config before running.
Install Mechanism
No install spec — instruction-only with a bundled Node CLI. That is the lowest-install-risk category. The script uses child_process.execSync to invoke system binaries (rsync, npx, wrangler), which is expected for a CLI orchestration tool and matches the declared prerequisites.
Credentials
The skill does not require unrelated credentials. It expects Cloudflare API token and account id environment variables (names configurable) — appropriate for deploying to Pages. A caution: the wizard and config store basic-auth username/password and some settings in the skill-local config/config.json (and .env is recommended for tokens). Storing credentials in config.json or leaving .env in an unprotected location would expose secrets; the docs recommend .env and not committing personal config.
Persistence & Privilege
always:false and normal autonomous invocation defaults. The skill writes its own config (config.json), may create middleware at <workspace>/functions/_middleware.js for basic auth, and will modify files under the configured workspace/content directory. It does not request elevated agent-wide privileges or edit other skills' configs. Because it can delete/overwrite workspace content, the user should configure an isolated workspace.
Assessment
This skill appears to do what it says: sync selected Markdown from an Obsidian vault, build with Quartz, and deploy to Cloudflare Pages. Before running it: 1) Use a dedicated test workspace directory (the tool runs rm -rf on the publish content folder and may clear the workspace during bootstrap). 2) Provide a scoped Cloudflare API token (Pages:Edit and DNS:Edit only if you need DNS automation). 3) Keep secrets out of chat and prefer the skill-local .env (and never commit your .env or config.json with real credentials). 4) Review config/config.json after running the wizard — basic auth credentials may be stored in plaintext there unless you move them to a protected .env. 5) If you're not on macOS, vault auto-detection may not work (the script checks a macOS-specific path). If any of these behaviours are unacceptable (deletion of workspace files or plaintext credentials), do not install or run the skill until you have reviewed/modified the code and configured a safe workspace.

Like a lobster shell, security has layers — review code before you run it.

latestvk970xpd9ef8k98sfnhw499ppmx829gaa
379downloads
1stars
1versions
Updated 20m ago
v0.1.0
MIT-0
David O.@davidyoh
latest
Download

OpenClaw Skill: Obsidian/Markdown → Cloudflare Pages

This is an OpenClaw Skill for publishing Markdown to Cloudflare Pages.

  • Works with Obsidian vault folders or any Markdown folder
  • Originally built for reading Obsidian Web Clipper output:

Automates a safe publishing flow:

  1. Select notes from your source folder
  2. Sync to a publish workspace
  3. Build static HTML with Quartz
  4. Deploy to Cloudflare Pages

Commands

  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js init
    • Creates config/config.json from example
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js wizard
    • Interactive setup wizard for config (vault, folders, site/domain, Cloudflare project)
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js setup-project
    • Initializes Quartz project in configured workspace if missing
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js doctor
    • Validates paths + required binaries
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js sync
    • Syncs selected notes/assets into publish content folder
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js build
    • Runs Quartz build in project dir
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js deploy
    • Deploys to Cloudflare Pages with wrangler
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js run
    • sync → build → deploy

Config

Copy and edit:

skills/obsidian-cloudflare-pages/config/config.example.jsonskills/obsidian-cloudflare-pages/config/config.json

Safety defaults

  • Publish allowlist by folder
  • Optional publish: true frontmatter gate
  • Exclude private folders by default

Requirements

  • node 20+
  • rsync
  • npm
  • npx quartz
  • wrangler

Cloudflare API token setup (recommended)

Create a Cloudflare API token with at least:

  • Account → Cloudflare Pages:Edit
  • (Optional) Zone → DNS:Edit if you want DNS automation elsewhere

You can either export env vars in your shell profile (~/.zshrc) or use the skill-local .env file.

Option A: shell profile (~/.zshrc)

export CLOUDFLARE_API_TOKEN="<your-token>"
export CLOUDFLARE_ACCOUNT_ID="<your-account-id>"

Reload shell:

source ~/.zshrc

Option B: skill-local env file (recommended for this skill)

cp skills/obsidian-cloudflare-pages/.env.example skills/obsidian-cloudflare-pages/.env
# then edit .env

The CLI auto-loads skills/obsidian-cloudflare-pages/.env (without overriding existing shell env vars).

Wizard now asks for:

  • Full production domain (e.g. YOURDOMAIN.COM)
  • Branding settings (root source folder, source index label, root index label, sidebar title HTML)
  • Token/account env var names (defaults above)
  • Optional basic-auth protection (username/password)

Notes

  • ⚠️ setup-project fallback behavior: if the direct Quartz bootstrap command fails, the fallback path may clear files in the configured workspace directory before cloning Quartz. Use a dedicated workspace path for this skill.

OpenClaw usage tips

Example prompts:

  • “Set up obsidian-cloudflare-pages wizard for my markdown folder.”
  • “Run doctor and tell me what dependency is missing.”
  • “Sync, build, and deploy to Cloudflare Pages.”
  • “Enable basic auth and redeploy.”

Best practices:

  • Keep secrets in .env (never in chat logs)
  • Commit config.example.json, not personal config.json
  • Use a scoped Cloudflare token (Pages edit, DNS edit only if needed)
  • Start on a test subdomain before production

Standalone usage (outside OpenClaw)

This works as a plain Node CLI too:

node bin/publishmd-cf.js init
node bin/publishmd-cf.js wizard
cp .env.example .env
# fill .env values
node bin/publishmd-cf.js run

Security note

Basic auth in this skill is intentionally simple and optional. Do not publish highly sensitive content unless you fully understand your security model and hardening choices.

Comments

Loading comments...