Obsidian - read, search, write and edit direct to obsidian vault.
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: obsidian-direct Version: 1.0.0 The OpenClaw AgentSkills skill bundle for Obsidian is classified as benign. The `SKILL.md` provides clear, task-oriented instructions for the agent to manage Obsidian notes, without any evidence of prompt injection attempts to deviate from its purpose or perform malicious actions. The Python scripts (`obsidian_cli.py`, `obsidian_search.py`) legitimately interact with the file system to read and write markdown files within the specified vault. Crucially, external command execution via `subprocess.run` (for `ripgrep` and `grep`) properly sanitizes user input using `re.escape()`, mitigating command injection risks. There is no evidence of data exfiltration, persistence mechanisms, or other malicious behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, malicious, or injected folder value could make the agent create or overwrite a Markdown file outside your intended vault, under the user account's normal file permissions.
The folder argument is used directly to build the write path, then the file is written. The shown function does not reject absolute paths, '..' traversal, or existing target files, so a create operation is not clearly limited to the intended Obsidian vault.
def create_note(vault: Path, title: str, content: str = '', folder: str = None,
...
if folder:
note_dir = vault / folder
note_dir.mkdir(parents=True, exist_ok=True)
...
note_path = note_dir / f"{safe_title}.md"
...
note_path.write_text(full_content, encoding='utf-8')Constrain folder paths by resolving them under the vault, reject absolute paths and '..' segments, check before overwriting existing files, and require explicit user confirmation for any write outside the expected vault folder.
Searches and answers may expose the contents of notes in the configured vault to the active agent session.
The search helper reads Markdown files across the configured vault and returns matched context to the agent. This is purpose-aligned for a knowledge-base skill, but it means private notes can enter the agent context.
for md_file in vault.rglob('*.md'):
...
content = md_file.read_text(encoding='utf-8')
...
'context': context[:500]Point the skill only at the vault you intend the agent to read, avoid storing secrets in that vault, and treat retrieved note text as untrusted context rather than instructions.
It is harder to verify who maintains the skill or compare it against an upstream project.
The package does not provide an upstream source or homepage for independent verification. No remote install behavior is shown, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown Homepage: none
Install only if you trust the publisher, and review the included scripts before allowing them to modify important notes.