Wiki.js CLI
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned Wiki.js management CLI, but it requires a Wiki.js API token and can make broad wiki changes, so users should scope and supervise its use.
Install this only if you want an agent-accessible CLI that can manage your Wiki.js instance. Create a minimally scoped Wiki.js API token, keep the config file private, review all delete/force/restore/bulk commands before they run, use dry-run and backups for large changes, and verify the package entrypoint/source before linking it globally.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A token with broad Wiki.js permissions could allow the CLI or an agent using it to read, create, modify, or delete wiki content.
The CLI uses a Wiki.js API token as a bearer credential for GraphQL requests. This is expected for the integration, but the registry metadata lists no primary credential, so users need to understand the token scope.
'Authorization': `Bearer ${config.apiToken}`Use a least-privilege Wiki.js API token, protect ~/.config/wikijs.json, and prefer HTTPS for non-local Wiki.js servers.
A mistaken or over-eager command could delete or alter Wiki.js pages or assets.
The CLI includes destructive actions and an option to skip confirmations. This is disclosed and common for management CLIs, but it is high-impact if invoked incorrectly.
Delete operations prompt for confirmation unless `--force` is used
Require explicit user approval before delete, restore, force, or other mutating commands; use dry-run options where available.
One incorrect folder, path prefix, or replacement string could change many wiki pages.
Bulk update and cross-wiki search/replace can affect many pages from one command. The behavior is purpose-aligned and disclosed, with dry-run examples, but it can propagate mistakes widely.
`wikijs bulk-update <folder>` | Update from files ... `wikijs replace "old" "new"` | Search/replace across pages
Run bulk operations with --dry-run first, scope them by path where possible, and keep backups before applying changes.
Private wiki information may remain on the local machine in cache, backup, export, or sync directories.
The CLI writes cached Wiki.js data to a local cache directory. This supports offline/performance features, but local cache files may contain wiki metadata or content.
const CACHE_DIR = join(homedir(), '.cache', 'wikijs-cli'); ... writeFileSync(cachePath, JSON.stringify(data));
Store local cache/backups in a protected location and clear them when no longer needed, especially on shared machines.
If started unintentionally, watch mode may continue making API calls and updating local files.
The skill supports user-invoked long-running watch/sync behavior. The artifacts do not show hidden persistence, but the mode can keep polling and writing local sync output until stopped.
`wikijs sync --watch` | Watch mode
Use watch/sync modes only when intended, choose a clear output directory, and stop the process when finished.
The CLI may fail to link/run as supplied, or a user may need to obtain an unreviewed entrypoint from another source.
The package declares a CLI entrypoint, but the supplied file manifest does not include bin/wikijs. This looks like a package completeness/provenance issue rather than hidden execution.
"bin": {
"wikijs": "./bin/wikijs"
}Verify the release source and expected bin/wikijs file before running npm link or using the CLI globally.