ClawHub
Back to skill

Security audit

Forge Obsidian Brain

Security checks across malware telemetry and agentic risk

Overview

This local Obsidian note skill is not clearly malicious, but it needs Review because file access and deletion safeguards are broader and weaker than users would expect.

Install only after reviewing or patching path containment and delete confirmation. Use a dedicated non-sensitive vault, avoid running sync/test.js against real data, and treat sync as copying private notes into persistent OpenClaw memory even though no network exfiltration was found.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no permissions, yet its own documentation shows use of environment variables and home-directory filesystem access for vault discovery and sync. This creates an under-declared trust boundary: users may believe the skill is narrowly scoped while it can read configuration and act on paths derived from environment and user home locations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior exceeds the stated purpose by reading global Obsidian configuration, exposing it through a config command, and syncing with a separate memory store under ~/.openclaw/workspace/memory. Description-behavior mismatches are dangerous because they undermine informed consent and can cause the agent or user to expose or modify data outside the expected vault-only scope.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The path resolution logic does not enforce that the final resolved path stays inside the configured vault. Inputs such as '../' segments or crafted absolute paths can cause reads, writes, updates, deletes, and searches to operate on arbitrary filesystem locations, which directly contradicts the skill's 'local-only vault management' safety boundary and makes the issue more dangerous in this context.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
deleteNote advertises a confirmation control, but the function ignores the confirm parameter and unconditionally deletes the file. This creates a dangerous mismatch between the API contract and actual behavior, increasing the chance that callers believe deletion is gated when it is not; combined with the path escape issue, it can delete arbitrary local files.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script enumerates and ingests markdown files from a hard-coded HOME-relative directory ('~/obsidian-vault/OpenClaw/Ideas') in addition to configured vault locations. This expands the data collection scope beyond explicitly configured paths, which can cause unintended reading and propagation of sensitive notes from a user directory without clear consent or visibility.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation text uses broad triggers such as 'brain commands' and 'Obsidian-related operations,' which can cause the agent to invoke the skill in contexts beyond the user's intent. Over-broad activation increases the chance of unintended reads, writes, syncs, or capture of sensitive material during loosely related conversations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents destructive operations like delete, overwrite, init, and sync without prominent safety warnings or confirmation requirements. In a filesystem-writing skill, this increases the risk of accidental data loss, clobbering notes, or unintended propagation of changes between the vault and memory store.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The delete operation performs immediate irreversible removal with no user-facing safeguard, despite documentation implying confirmation is required. In a note-management skill this raises the risk of accidental or coerced data loss, though by itself it is less severe than arbitrary path traversal unless paired with other flaws.

Context Leakage

High
Category
Data Exfiltration
Content
|---------|-------------|
| `capture thought <text>` | Quick thought → `Brain/Thoughts/` |
| `capture research --url <url> --title <title>` | Research ref → `Brain/Research/` |
| `capture conversation --source <src> --id <id>` | Chat log → `Brain/Conversations/` |

**Examples:**
Confidence
90% confidence
Finding
capture conversation

Context Leakage

High
Category
Data Exfiltration
Content
--text "Key points about service boundaries"

# Conversation log
brain capture conversation \
  --source telegram \
  --id "12345" \
  --text "User asked about distributed systems"
Confidence
90% confidence
Finding
capture conversation

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.