OpenClaw Skill: Obsidian Markdown to Cloudflare Pages

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but its optional Basic Auth feature can write the chosen password into a generated deployment file, so users should review it before use.

Before installing, use a dedicated workspace, run --dry-run, keep includeFolders narrow, and use a scoped Cloudflare token. Avoid enabling Basic Auth unless you are comfortable with the generated functions/_middleware.js containing the Basic Auth password, and ensure that workspace is not committed or shared if Basic Auth is enabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: When basic auth is enabled, the script materializes the username and password directly into functions/_middleware.js, embedding secrets into a file in the deployment workspace. That creates a persistent plaintext copy that can be committed, backed up, exposed through logs/artifacts, or otherwise leaked beyond the intended environment-variable scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal