Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Obsidian CLI (kepano)
v1.0.0Interact with Obsidian vaults using the Obsidian CLI to read, create, search, and manage notes, tasks, properties, and more. Also supports plugin and theme d...
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes an Obsidian CLI helper and developer tooling (create/read/search notes, plugin dev, eval, screenshots). That purpose is coherent with the instructions. However the registry metadata lists no required binaries while the runtime instructions explicitly require the `obsidian` CLI and a running Obsidian instance — a small but notable mismatch.
Instruction Scope
The instructions direct the agent to run the obsidian CLI against the user's vault and include developer commands that can run arbitrary JavaScript in the app context (obsidian eval), read all files (app.vault.getFiles() and file/path targeting), take screenshots, inspect DOM, and copy output to clipboard. Those capabilities are consistent with plugin development but also allow reading or exporting arbitrary vault content; nothing in SKILL.md constrains or sanitizes what the agent may capture or transmit.
Install Mechanism
This is an instruction-only skill with no install spec and no code written to disk, which is low-risk from an installation perspective.
Credentials
The skill requests no environment variables or credentials (appropriate). However, it implicitly requires access to the user's Obsidian vault files and a running Obsidian app; the manifest does not declare the required `obsidian` binary, which is an omission that reduces clarity about runtime requirements.
Persistence & Privilege
The skill is not marked always:true and doesn't request special platform-wide persistence or configuration changes. Autonomous invocation is allowed by default but not combined with additional privileges in this skill.
What to consider before installing
This skill is mostly what it says — a helper for the Obsidian CLI and plugin development — but be cautious: the instructions allow running arbitrary JavaScript inside your Obsidian app and reading any file in your vault (and copying or screenshotting output). The registry metadata failing to list the required `obsidian` CLI is a minor inconsistency. Only install if you trust the skill author; avoid invoking developer commands that run eval or access sensitive notes unless you test in a disposable vault first. Consider restricting the agent's autonomy (do not allow it to run commands without confirmation) and review any outputs the agent plans to send externally.Like a lobster shell, security has layers — review code before you run it.
clivk9741ckfxcjw84vvaajwqtg18h842be2latestvk9741ckfxcjw84vvaajwqtg18h842be2obsidianvk9741ckfxcjw84vvaajwqtg18h842be2vaultvk9741ckfxcjw84vvaajwqtg18h842be2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.