Skillv1.0.2

ClawScan security

OpenClaw Skill: Obsidian Markdown to Cloudflare Pages · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 9:32 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior generally matches its stated purpose (publishing Obsidian/Markdown to Cloudflare Pages), but there are a few coherence and safety concerns you should review before installing and running it.
Guidance: This skill appears to implement the advertised Obsidian→Cloudflare Pages workflow, but review these items before using it: - Provide Cloudflare credentials only via a local .env or shell environment; the skill expects CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID but the registry metadata did not declare them — that is a manifest omission. Treat this as intentional: the tool needs a Cloudflare token to deploy. - The wizard can store a basic-auth password directly into config.json (plaintext) unless you explicitly use env-backed credentials; prefer BASIC_AUTH_USERNAME/PASSWORD in your environment and do not commit config.json. - The CLI will attempt to read files in your home directory (it tries to detect Obsidian vaults at a macOS path). If you don't want that, run on a controlled machine or edit the script. - The script can run arbitrary shell commands (rsync, npx quartz, wrangler) and has a fallback that may clear the configured workspace when ALLOW_DESTRUCTIVE=1 is set — only point the workspace to a dedicated path you can safely wipe. - Use --dry-run / DRY_RUN=1 first to preview actions, inspect bin/publishmd-cf.js for any code you are uncomfortable with, and consider running the workflow on a test subdomain before production. If these caveats are acceptable and you verify the code, the skill itself is coherent with its purpose; the main issues are the missing manifest declaration for required envs and the potential for accidental plaintext secret storage and destructive workspace operations.

Review Dimensions

Purpose & Capability: noteName and description align with the included CLI and code: it syncs markdown, builds with Quartz, and deploys with Wrangler. However the registry metadata does not declare the Cloudflare API credentials the code actually expects (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID), which is an omission in the manifest.
Instruction Scope: noteSKILL.md and the CLI instruct only the expected publish flow (init, wizard, sync, build, deploy). The CLI also reads files in the user home (detectOpenVaults checks ~/Library/Application Support/obsidian/obsidian.json) to auto-detect vaults, and the wizard can write secrets into config.json (basicAuth.password) if provided — the README warns about this but the functionality exists. The skill runs shell commands (rsync, npx quartz, wrangler) via execSync; these are expected for the task but will execute arbitrary local commands.
Install Mechanism: okNo install spec or remote downloads; the skill is instruction-only with a bundled Node CLI. Nothing is pulled from arbitrary URLs during install. Users must have Node, npm, rsync, npx, and wrangler installed separately.
Credentials: concernThe skill requires Cloudflare credentials (CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID) and optionally basic auth credentials, but the registry metadata lists no required env vars or primary credential. This mismatch is a manifest omission that makes it harder to audit what secrets the skill needs. The wizard can also persist basic auth passwords into config.json (plaintext) unless the user explicitly uses env-backed credentials, which increases risk of accidental secret leakage.
Persistence & Privilege: notealways is false and the skill does not request persistent platform-wide privileges. It can clear a workspace directory as part of a fallback setup, but that destructive behavior is gated by the ALLOW_DESTRUCTIVE=1 environment variable and there are explicit guards (assertSafePath) and warnings in the docs. Still, this capability is powerful and must be used only on a dedicated workspace path.