obclip
v1.0.0Install, verify, and operate the obclip CLI to clip live web pages into Markdown or Obsidian notes. Use when Codex needs to install the @harris7/obclip npm p...
⭐ 1· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the content: the SKILL.md explains how to install, invoke, and troubleshoot the @harris7/obclip CLI. All declared artifacts (command recipes, install advice, troubleshooting) are appropriate for a CLI helper.
Instruction Scope
Instructions stay within clipping/CLI scope. They do advise using --browser-profile and --browser-executable: pointing the tool at a browser profile can expose cookies/session state to the invoked browser process (a legitimate need for logged-in clipping but a privacy risk). The skill itself does not ask the agent to read arbitrary files or secrets beyond providing paths to obclip; it warns not to point at your daily Chrome profile.
Install Mechanism
This is an instruction-only skill (no install spec). Runtime instructions tell the agent to run npm install -g or npx @harris7/obclip. Using npm/npx executes code from the npm registry (expected for a CLI helper) — moderate trust required in the published package and its maintainer.
Credentials
No environment variables, secrets, or unrelated credentials are requested. The only potential sensitive input is a browser profile path (user-provided) which is justified for logged-in captures but should be used cautiously.
Persistence & Privilege
Skill is not always-on; it is user-invocable. agents/openai.yaml sets allow_implicit_invocation true (the agent may invoke the skill implicitly/autonomously). That is the platform default for many skills; combined with the previous note about profile paths, consider whether you want automated runs that might be given profile paths.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found no code patterns; this is expected because the skill is instruction-only (only SKILL.md and markdown references). The primary risk surface is the runtime behavior the instructions prescribe (npm/npx, passing browser profile paths).
Assessment
This skill appears to do what it says: it tells the agent how to install and run the obclip CLI. Before installing or running it, consider: 1) npm/npx will fetch and execute code from the npm registry — verify the @harris7/obclip package and its source (review repository, recent publish history) if you don't already trust it; 2) avoid pointing --browser-profile at your daily Chrome/Edge profile because that exposes cookies and session tokens to the launched browser process — use a dedicated profile directory; 3) when using npx you are running a transient remote package (inspect it first if you need to); 4) the skill configuration allows the agent to invoke the skill implicitly — if you want to avoid automated runs, disable implicit/autonomous invocation or only call the skill explicitly. If you want deeper assurance, request the package repository URL and review the obclip package's source before running npm install.Like a lobster shell, security has layers — review code before you run it.
latestvk97c4v7h6rbpd7xtwfkwthfaqx84mcqq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.