Publish Wiki Pages
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a normal Wiki.js publishing helper, but it needs a Wiki.js API token and can create or update published wiki pages, so review the target URL, path, and content before use.
Use this skill only with a trusted Wiki.js endpoint over HTTPS and a least-privileged API token. Confirm the Markdown file and target path before publishing, because an existing page at that path will be updated and new pages are created as published/non-private by default. No artifact-backed evidence of malicious exfiltration, persistence, or hidden behavior was found.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with a broadly scoped token, the agent can create or update wiki pages allowed by that token.
The skill requires a Wiki.js API token and states the user must have write permissions. This is expected for publishing, but it delegates real account authority to the agent/script.
"WIKI_KEY", "description": "Wiki.js API token", "required": true, "credential": true ... "primaryCredential": "WIKI_KEY"
Use a least-privileged Wiki.js API token limited to the intended wiki or namespace, keep it out of logs, and revoke or rotate it when no longer needed.
A mistaken path or file selection could overwrite an existing wiki page or publish draft/private content to the configured wiki.
The script can update an existing page without an interactive prompt and creates new pages as published/non-private. This is purpose-aligned for a publisher, but it is a high-impact action if the file or path is wrong.
if existing_page: ... print(f"Page exists (ID: {existing_page['id']}), updating...") ... result = update_page(...); ... isPublished: true ... isPrivate: falseReview the Markdown file, target WIKI_URL, and --path before running; consider using a staging wiki or adding a confirmation step for updates.
Users relying only on registry metadata may not realize the skill needs a Wiki.js API token and performs authenticated network writes.
The registry-facing metadata lacks source/homepage provenance and does not list the credential requirements that SKILL.md declares. The behavior is still disclosed in the skill text and code, so this is an install-context note rather than evidence of hidden behavior.
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none
Read the SKILL.md and script before use, verify the owner/source as much as possible, and keep registry metadata synchronized with required credentials and dependencies.