ClawHub

Obsidian Wiki Manager

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for managing an Obsidian knowledge base, but its broad triggers can cause private wiki reads, file writes, URL fetching, and indexing commands with too little explicit user control.

Install only if you want an agent to manage a specific Obsidian vault and are comfortable with it reading raw materials, writing many files under wiki/, fetching URLs into raw/clippings/, and running qmd maintenance commands. Use explicit commands, review generated changes, and keep backups or version control for the vault.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The INGEST trigger includes a very broad phrase, "处理这个", which can match many ordinary user utterances and cause the skill to enter a high-impact workflow unintentionally. In this skill, INGEST can create and update many files, perform hashing, read raw materials, and later invoke indexing commands, so accidental activation materially increases the chance of unintended file modifications.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The QUERY trigger condition says it activates on direct questions or "根据我的知识库", which is effectively broad enough to capture many normal conversations. Because QUERY runs local commands like `qmd search` and may write reusable outputs to `wiki/outputs/`, ambiguous activation can cause unexpected data access and file writes without clear user intent.

Vague Triggers

Low
Confidence
72% confidence
Finding
The REFLECT triggers are somewhat broad, but less likely than INGEST/QUERY to fire during routine conversation because they are more specialized phrases. Still, this workflow performs wide scans across the wiki and writes synthesis and gap-report files, so accidental activation could create unwanted derived content and consume resources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The architecture section states that the LLM has full read/write access to `wiki/`, but the user-facing description does not prominently warn that the skill may modify many files as part of normal operation. This creates a consent and safety problem: users may invoke the skill expecting assistance, while the skill can batch-create or rewrite source, concept, entity, index, log, synthesis, and output files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The URL handling rules direct the skill to fetch external web content, convert it to Markdown, and save it locally, but the description does not clearly warn users about outbound network access and ingestion of remote content. In practice, that can expose browsing intent, pull in untrusted content, and trigger persistence of attacker-controlled material into the knowledge base.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs execution of `qmd update` and `qmd embed`, but does not prominently disclose that shell or local command execution is part of the workflow. Even though the commands appear fixed rather than user-composed, undisclosed command execution can still surprise users and lead to unintended side effects on local state or indexing artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal