Forge Obsidian Brain
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: forge-obsidian-brain Version: 1.0.2 The forge-obsidian-brain skill is a local-only CLI tool for managing an Obsidian vault, providing note CRUD, bidirectional synchronization, and advanced search capabilities (fuzzy, regex, case-insensitive). The implementation uses only Node.js built-in modules (fs, path, crypto, os) and explicitly avoids network access, external APIs, and shell execution, as documented in the provided SECURITY.md and SCANNER_APPEAL.md files. All operations are confined to the user's vault and OpenClaw workspace, with no evidence of malicious intent, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted note path could let the agent read, overwrite, create, or delete Markdown files outside the intended Obsidian vault.
Note paths are joined to the vault path without a canonical containment check that rejects '..' traversal or prefix-confusable absolute paths, then the resulting path is used for writes and deletes.
function resolveNotePath(vaultPath, notePath) { ... return path.join(vaultPath, notePath); } ... fs.writeFileSync(fullPath, content, 'utf8'); ... fs.unlinkSync(fullPath);Resolve paths with path.resolve, verify the final path remains inside the vault using a path boundary check, and apply this to read/list/create/update/delete and sync destinations.
A user may believe deletes require an extra approval, while an agent/tool invocation can remove a note immediately.
This safety assurance is contradicted by the provided delete implementation, which calls fs.unlinkSync on the target path without an implemented prompt or confirmation check.
Destructive actions require explicit confirmation: - `delete` command requires confirmation
Implement an explicit confirmation prompt or required flag such as --yes for deletes, or correct the documentation and require user review before destructive commands.
Notes placed in synced vault folders can become long-lived agent context and may influence future responses.
The skill intentionally writes vault content into persistent OpenClaw memory, which can be reused by the agent in later tasks.
`~/.openclaw/workspace/memory/*.md` — Vault entries synced back to memory
Use --dry-run first, sync only trusted notes/folders, and consider adding review or allowlist controls for vault-to-memory imports.