Book Capture Obsidian
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for importing books into Obsidian, but it can run local helper tools, modify vault notes, and query external book metadata services.
Before installing, confirm you are comfortable running local helper scripts, back up your Obsidian vault, use dry-run mode for Goodreads imports, verify the vault path, and decide whether external metadata enrichment and an optional Google API key fit your privacy preferences.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken vault path or bad CSV import could change many notes in the selected vault.
The skill can create or update many Obsidian Markdown files during migration, but it discloses this and requires an explicit vault destination.
Goodreads CSV migration with `scripts/migrate_goodreads_csv.py` ... Upsert notes with `scripts/upsert_obsidian_note.py` ... Require explicit vault destination (`BOOK_CAPTURE_VAULT_PATH` or `--vault-path`) before bulk writes.
Run the documented dry run first, back up or version-control the vault, and confirm the vault path before live migration.
The skill may run locally installed barcode/OCR-related tools against user-provided images.
ISBN extraction can execute a local barcode tool, which is expected for this purpose and is invoked without a shell and with a timeout.
subprocess.run([binary, "--quiet", image_path], check=False, capture_output=True, text=True, timeout=timeout_sec)
Install barcode/OCR tools from trusted sources and avoid setting `BOOK_CAPTURE_ZBARIMG_BIN` to an untrusted executable.
Your reading-library details, such as titles/authors/ISBNs, may be sent to Google Books during enrichment.
Goodreads migration can send book identifiers and metadata queries to an external provider for enrichment; this is disclosed and purpose-aligned.
Query Google Books for all rows to enrich synopsis/publisher/date/metadata
Disable Google enrichment or adjust the provider order if you do not want library metadata sent to external services.
If provided, the skill can use your Google Books API quota and the key should be treated as a credential.
The skill supports an optional Google Books API key for quota stability; this is expected for the integration and no hardcoded secret is shown.
export BOOK_CAPTURE_GOOGLE_API_KEY="YOUR_GOOGLE_BOOKS_API_KEY"
Use a restricted API key, keep it in environment variables only, and avoid sharing command output if it includes configuration details.