ClawHub

Obsidian and OpenClaw Sync

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Obsidian sync guide whose local file-writing and context-mirroring behavior is disclosed and aligned with its purpose.

Install only if you want agents to write selected workspace knowledge into an Obsidian vault. Before mirroring USER.md, MEMORY.md, AGENTS.md, or similar files, confirm whether the vault is shared or cloud-synced and exclude secrets, private user data, and internal context you do not want preserved there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly tells the agent to symlink a real Obsidian vault into the workspace and then write into it, but it does not require an explicit user confirmation before modifying external user files. That creates a real risk of unintended file changes, corruption of an existing vault structure, or writes into a shared/personal knowledge base outside the normal workspace safety boundary.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill recommends mirroring internal operating documents such as AGENTS.md, USER.md, MEMORY.md, TOOLS.md, and HEARTBEAT.md into a human-accessible Obsidian vault. Even though the text includes a brief privacy reminder later, it is not a strong, front-loaded warning and does not require sensitivity review, so it could expose secrets, internal instructions, personal data, or operational context in plaintext.

Ssd 3

Medium
Confidence
98% confidence
Finding
Persisting agent memory and operating context into an Obsidian vault increases the chance that sensitive internal state or user-derived information becomes durable, discoverable, and editable outside the controlled workspace. In this skill's context, the danger is elevated because the vault is intended for both humans and agents, which broadens access and makes inadvertent disclosure more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal