ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

obsidian-notesmd-cli-command

v1.0.0

Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli.

0· 70·0 current·0 all-time
by@michael-c-matias·duplicate of @mohdalhashemi98-hue/mh-obsidian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (work with Obsidian vaults via obsidian-cli) matches the declared required binary and the instructions. However, the SKILL.md refers to a macOS-specific config file (~/Library/Application Support/obsidian/obsidian.json) even though the skill metadata does not declare any OS restriction or config paths. This is a minor mismatch in declared requirements vs. runtime guidance.
Instruction Scope
Runtime instructions mostly stay on‑task (search, create, move, delete notes using obsidian-cli). They explicitly instruct reading the user-specific config file to find active vaults, which is relevant to the purpose but is an undeclared file read of a user data path. The instructions also assume Obsidian’s URI handler and macOS paths; there is no guidance for Linux/Windows locations.
Install Mechanism
The install spec uses Homebrew (brew formula yakitrak/yakitrak/obsidian-cli) which will create the obsidian-cli binary. Using Homebrew is normal, but this is a third‑party tap (yakitrak) rather than the core Homebrew repository: moderate risk if you don't trust that tap. No arbitrary downloads or archives are present.
Credentials
The skill declares no environment variables, credentials, or config paths. That is proportionate to its stated purpose (it only needs the obsidian-cli binary). The only runtime data the instructions reference is the user config file (vault locations).
Persistence & Privilege
always:false and no install-time scripts or code files are included. This is an instruction-only skill that relies on an external binary; it does not request persistent elevated privileges or modify other skills' configs.
What to consider before installing
This skill appears to be what it claims (an obsidian-cli helper) but review a few things before installing: 1) The SKILL.md reads ~/Library/Application Support/obsidian/obsidian.json (macOS); if you’re on Linux/Windows or expect cross-platform use, confirm path handling. 2) The Homebrew formula is hosted in a third‑party tap (yakitrak); verify the tap and formula source before brew install to avoid installing untrusted binaries. 3) The skill will read your Obsidian config to find vault paths—these are local user files (not secret keys, but they reveal note locations). If you’re uncomfortable, run obsidian-cli manually first to verify behavior, or inspect the brew formula source. If you can provide the brew formula URL or the formula source repo, I can re-evaluate and raise or lower confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1e6aj39bc0jgcq8yc727yh8392tf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💎 Clawdis
Binsobsidian-cli

Install

Install obsidian-cli (brew)
Bins: obsidian-cli
brew install yakitrak/yakitrak/obsidian-cli

Comments