ClawHub

Wiki.js CLI

v1.4.0

Command-line tool to manage Wiki.js content, pages, assets, templates, and backups via its GraphQL API with search, update, sync, and analysis functions.

0· 1.3k·2 current·2 all-time
by@hopyky
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The package files, SKILL.md, and code implement a Wiki.js GraphQL CLI (list/create/update/delete, assets, backup/sync, etc.), which is coherent with the skill name. However the skill metadata provided no description/homepage while package.json claims a GitHub homepage — a minor mismatch in source metadata.
Instruction Scope
SKILL.md explicitly instructs installing via npm, creating a config at ~/.config/wikijs.json with url and apiToken, and using commands. Runtime instructions and code operate on that config and the Wiki.js API only; there are no instructions to read unrelated system files or send data to unexpected endpoints.
Install Mechanism
There is no platform install spec, but the repo includes package.json and SKILL.md instructs `npm install && npm link`. That is consistent with a JS CLI distributed via source. This is moderately risky compared to an instruction-only skill with no code, because running npm install pulls third-party packages onto disk — review dependencies before installing.
!
Credentials
Registry metadata declared no required config paths or credentials, but the code requires and reads a config file at ~/.config/wikijs.json that must contain the Wiki.js url and an apiToken. The CLI will also write cache (~/.cache/wikijs-cli) and may write backups to configured paths. The missing declaration of the config path / secret is an inconsistency that affects security decisions: the skill will have access to an API token stored on disk that was not declared in metadata.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It does write cache files and can create backups in configured directories (per SKILL.md and code), which is expected for a CLI but means it will persist data on the host filesystem under user-owned paths.
What to consider before installing
This package appears to be a genuine Wiki.js CLI: it expects a config file at ~/.config/wikijs.json containing your wiki URL and an API token and will use that token to call your Wiki.js instance. Before installing or supplying credentials, do the following: 1) Verify the upstream source — the registry metadata lacks a homepage but package.json points to a GitHub repo; confirm that repo and maintainer are trustworthy. 2) Inspect package.json and node dependencies (npm install will fetch them). 3) Review the config file contents you will place at ~/.config/wikijs.json and ensure the API token has minimal permissions needed (avoid using a full-admin token if possible). 4) Be aware the CLI will create cache (~/.cache/wikijs-cli) and may write backups to configured directories — pick safe locations. 5) If you need stronger isolation, run npm install and the CLI in a disposable environment/container or on a machine account with limited privileges. The main inconsistency is that the skill metadata did not declare the required config path/credential; if that matters for your risk posture, ask the publisher to update metadata or provide a signed, canonical upstream release link before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rvcatcmfm6qj8573e1mdhx80mbn9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments