Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
obsidian-llm-wiki
v1.0.2个人知识库构建系统 — 基于 Karpathy LLM-Wiki 方法论,结合 obsidian-cli 实现高效的 Obsidian vault 管理。 让 AI 持续构建和维护你的 Obsidian 知识库,支持多种素材源(网页、公众号、知乎、YouTube、PDF、本地文件), 自动整理为结构化的 wiki...
⭐ 0· 27·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and script assume and instruct heavy use of the local obsidian CLI (commands like `obsidian vault=... create/append/read`, and explicit guidance to use `write_to_file` for long content), but the skill metadata declares no required binaries or environment variables. That mismatch (undeclared required local binary) is an inconsistency users should be aware of.
Instruction Scope
Instructions legitimately describe reading/writing files inside a user-specified vault, creating templates, and running health checks with obsidian-cli. These operations are within the stated purpose, but they include unrestricted local file writes (create/overwrite pages, write README/index/log, delete temp files if used). SKILL.md also recommends external extractor tools and mentions network usage for fetching materials — the skill itself does not fetch remote content, but the workflow presumes network-enabled tools.
Install Mechanism
This is instruction-only (no install spec). The included init-wiki.sh creates directories and copies templates locally; it does not download code or call external URLs. The lack of an install spec is low risk, but combined with the undeclared obsidian-cli dependency it means the user must manually ensure prerequisites are present.
Credentials
The skill declares no required environment variables or credentials, and the provided files do not attempt to read secrets or external tokens. This is proportionate to the stated local-vault purpose.
Persistence & Privilege
always:false and no automatic installation or system-wide config changes. The skill writes only to the user-specified vault path and copies templates; it does check standard skill-template locations (~/.workbuddy/skills/...), but only to locate templates. Agent autonomous invocation is allowed by platform defaults (not a problem by itself) — consider controlling agent autonomy if you want manual approval before the skill runs.
What to consider before installing
This skill will create and modify files inside whatever vault path you give it and expects the local obsidian CLI to be available — but the registry metadata does NOT list obsidian-cli as a required binary. Before installing: 1) Verify and install obsidian-cli and open the vault once in Obsidian (as SKILL.md requires). 2) Back up your vault, since the skill will create/overwrite pages and templates. 3) Inspect templates/ and init-wiki.sh locally to ensure you’re comfortable with the exact files it will create. 4) If you don't want the agent to run these actions autonomously, disable or restrict skill autonomous invocation in your agent settings or require explicit user confirmation. 5) If you plan to use external extractors or network fetchers, vet those tools separately — this skill recommends them but does not supply them. If you want me to, I can list the exact obsidian-cli commands the skill will run and show a safe checklist to run the init script manually first.Like a lobster shell, security has layers — review code before you run it.
latestvk97cnvtbmd4bdma8w7nv65x5mx84e7vj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.