zettel-brainstormer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Obsidian note-brainstorming purpose, but its wikilink resolver can include Markdown files outside the configured note folder.
Install only if you are comfortable letting the skill read selected Obsidian notes and create temporary working files. Before relying on it, fix or watch for wikilinks that can escape the configured zettel folder, review candidate paths before subagent preprocessing, and separately review the optional zettel-link dependency if you use semantic retrieval.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A note containing a crafted or accidental relative wikilink could pull in local Markdown files outside the intended Zettelkasten folder, and later stages may summarize or cite that content.
Wikilink targets are joined to the configured zettel directory without resolving and checking that the final path remains inside that directory. A relative target such as '../private-note' could cause retrieval of an outside Markdown file if it exists.
exact = zettel_dir / f"{target}.md"
if exact.exists():
return exactBefore use, update the resolver to reject '..' and absolute paths and to verify resolved paths are within the configured zettel_dir; also review candidate paths before preprocessing.
Selected note text, quotes, summaries, and paths may be processed by model agents and appear in generated outputs.
The preprocessing subagents receive local note contents and file paths as model context, which is expected for this brainstorming workflow but may include private notes.
- One candidate note content - Candidate note path
Use a narrowly scoped zettel_dir, avoid running the skill on highly sensitive notes, and review outputs before sharing or publishing.
Temporary files may retain traces of private notes after the task finishes.
The workflow stores candidate lists, preprocess outputs, and draft packets under /tmp. This is disclosed and purpose-aligned, but those files can contain note paths and extracted note material.
--output /tmp/zettel_candidates.json ... --preprocess-dir /tmp/zettel_preprocess ... --output /tmp/zettel_draft_packet.json
Clear the temporary files after use if the notes are sensitive, or configure the workflow to use a private working directory.
If zettel-link is installed, this skill may rely on that separate tool's behavior and data handling.
The workflow can invoke an external skill that is not included in these artifacts. This is disclosed and relevant to semantic retrieval, but its code is outside this review.
Check if the external `zettel-link` skill is available. If it exists, run semantic retrieval via its `scripts/search.py` command
Review and trust the zettel-link skill separately before enabling semantic retrieval, or skip that step and use only the bundled local retrieval script.
Using the skill will execute local Python scripts to configure paths and retrieve/compile notes.
The skill is described as instruction-only in the install metadata, but normal use requires running bundled Python helper scripts. The reviewed scripts are purpose-aligned and the static scan is clean.
python zettel-brainstormer/scripts/setup.py
Run the scripts only from the reviewed skill directory and re-check them after updates.