Skillv1.0.0

ClawScan security

Obsidian Cli Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 6:24 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its name and description (Obsidian CLI operations and plugin development); there are no unexpected installs or credential requests — but the provided runtime commands (notably plugin eval and delete) are powerful and can modify or expose vault data, so use with caution.
Guidance: This skill appears to do what it claims (control Obsidian via the obsidian CLI), and it asks for no external credentials. Before installing or enabling it for autonomous use, consider: 1) ensure the local 'obsidian' CLI and the Obsidian CLI plugin are what you expect (trustworthy source); 2) do not allow autonomous agent invocation if you don't want the agent to run destructive or arbitrary-code commands (plugin eval and delete); 3) backup your vault before permitting operations that modify or delete notes; and 4) prefer manual review of any commands the agent proposes that use plugin eval or other high-impact operations. If you want stricter safety, request the skill declare the 'obsidian' binary dependency and consider restricting the set of allowed commands (e.g., disable eval/delete) or only use in a disposable/testing vault.

Review Dimensions

Purpose & Capability: okThe SKILL.md documents CLI commands for listing/opening/searching/creating/deleting notes and plugin development (reload, eval, screenshot, DOM). These directly align with the skill name and description. The only minor coherence issue is that the skill doesn't declare the 'obsidian' CLI as a required binary in metadata, even though the instructions depend on it and an open Obsidian instance.
Instruction Scope: noteInstructions stay within the stated domain (vault and plugin operations). However, 'obsidian plugin eval "<code>"' allows arbitrary JavaScript execution inside the running Obsidian process and can access or modify vault contents or the host environment; 'obsidian delete <note>' performs destructive actions. These are expected for plugin/dev tasks but are high-impact, so they warrant caution.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by the skill itself. That is lower risk and consistent with the declared metadata.
Credentials: okThe skill requests no environment variables, credentials, or config paths, which is appropriate for a local CLI wrapper. Note that the skill can still perform powerful actions within the user's Obsidian instance (read/delete/execute JS) without requesting external secrets.
Persistence & Privilege: okalways is false and the skill does not request modification of other skills or global agent settings. The agent may invoke the skill autonomously (platform default); combined with commands like plugin eval and delete, that increases operational risk if the agent is permitted to run without human review.