Skillv1.0.0

ClawScan security

web-to-obsidian · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 10:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally does what it claims (fetch, translate, generate metadata, import to Obsidian) but has several mismatches and privacy/SSRF risks (undocumented dependencies, disabled SSL verification, use of third‑party cleaning services, and fallback to direct fetch) that you should review before installing.
Guidance: Before installing or using this skill, consider the following: - Network & privacy: The fetch scripts forward the target URL to third‑party cleaning services (r.jina.ai, markdown.new, defuddle.md) and will also fetch the original URL locally if those services fail. That means the content and the URL (potentially including internal-only addresses like 169.254.169.254 or localhost) could be seen by external services or fetched from your agent. Do NOT run this on sensitive/internal URLs. - SSL verification: The code disables SSL verification for outgoing requests. This increases the risk of man‑in‑the‑middle interception. Consider enabling proper SSL checking before using in production. - Missing declared dependencies: The SKILL.md expects python3 and obsidian-cli, but the skill metadata does not declare required binaries or an install step. Ensure you have python3 and a safe method to import into Obsidian (verify what obsidian-cli does) before running. - Hardening suggestions: (1) Add domain whitelisting or block private IP ranges to prevent SSRF to internal resources. (2) Re-enable SSL verification or limit it to specific known hosts. (3) Consider running the fetch step in an isolated environment or on a machine that contains no sensitive credentials. (4) If you don't trust external cleaning services, replace them with a local converter or a vetted service. - If you want to proceed: audit scripts/fetch.py and scripts/smart-url.py locally, test with non-sensitive public URLs, and confirm obsidian-cli behavior (especially how it receives content) before using with real notes or private sites.

Review Dimensions

Purpose & Capability: concernThe skill's purpose (fetch web pages and import into Obsidian) matches the code and instructions, but SKILL.md references external tooling (obsidian-cli, python3) and network cleaning services while the skill declares no required binaries or install steps. Omitting obsidian-cli and python3 from declared requirements is an inconsistency that may mislead users about what will run on their machine.
Instruction Scope: concernRuntime instructions call scripts that fetch URLs and send requests to third‑party cleaning services (r.jina.ai, markdown.new, defuddle.md). The scripts also fall back to fetching the original URL directly. This means supplied URLs (including internal addresses) can be requested either by the local agent or by external services, creating SSRF/data‑exfiltration and privacy risk. The code also disables SSL verification for these fetches.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces install-surface risk. However, shipped Python scripts will be executed but required binaries (python3, obsidian-cli) are not declared — this is a procedural omission rather than an active install risk. No downloads from unknown URLs occur during install.
Credentials: noteThe skill requests no environment variables or credentials, which aligns with its stated functionality. However, the scripts transmit URLs/content to external services; the lack of any explicit credential or consent mechanism means private content could be exposed unintentionally to those services.
Persistence & Privilege: okThe skill does not request persistent or privileged presence (always:false) and does not modify other skills or system-wide configuration. It reads/writes a local temp.md file and calls obsidian-cli per instructions.