obclip

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only helper for installing and running a page-clipping CLI, with the main risks clearly tied to npm execution and optional browser profile use.

Before installing, verify that you trust the @harris7/obclip npm package and the referenced GitHub skill source. For logged-in sites, use a dedicated browser profile rather than your everyday browser profile so cookies and sessions are limited to the clipping workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest allows implicit invocation and describes activation as "Use $obclip to install or run the obclip CLI and capture a target page into a note," but it does not define clear trigger boundaries, exclusions, or constrained contexts. This creates ambiguity about when the skill should activate versus when similar everyday requests about installing tools, running a CLI, or clipping pages should not invoke it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal