Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Obsidian Ontology Sync 1.0.1
v1.0.0Bidirectional sync between Obsidian PKM (human-friendly notes) and structured ontology (machine-queryable graph). Automatically extracts entities and relatio...
⭐ 0· 97·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise 'Bidirectional sync' implies ontology↔Obsidian updates, but the included code and instructions only show extraction (Obsidian → ontology) and writing append-only JSONL entries. There is no clear implementation of writing back to the Obsidian vault; that mismatch could be sloppy documentation or a missing feature. Also the code embeds a hard-coded list of project names (ValueChain, BytePlus, Benow, Wirerr) which is unexpected for a general PKM tool and should be explained.
Instruction Scope
SKILL.md and scripts instruct the agent to scan user note directories and write a graph.jsonl under the user's configured vault (defaults to /root/life/pkm/memory/ontology). Reading/writing those files is consistent with the stated extraction/analysis purpose. The instructions recommend running via cron and provide dry-run flags. No instructions reference unrelated system files, secrets, or external endpoints.
Install Mechanism
This is instruction-only with a single included script and no install spec or downloads—lowest install risk. The code runs locally and writes files under configured paths; nothing is pulled from third-party URLs.
Credentials
No environment variables or credentials are required. The script reads configuration files from default paths (e.g., /root/life/pkm/ontology-sync/config.yaml and /root/.openclaw/workspace/skills/...) which is reasonable for a local tool, but you should confirm the vault path before running to avoid scanning unintended directories.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It creates and appends to files in the configured vault area (creates memory/ontology/graph.jsonl); this is within scope for a sync tool but be aware writes are append-only and there is no locking or transactional safety.
What to consider before installing
Things to check before installing or running: 1) The README/SKILL claim 'bidirectional' but the provided script only extracts and appends to a local graph.jsonl—if you need automatic writes back into your notes, inspect the remaining code (feedback/ write-back) to confirm behavior. 2) Run the tool in --dry-run --verbose first and point it at a test copy of your vault to observe what it would extract and what files it would write. 3) Confirm the configured vault path (default is /root/life/pkm) so it doesn't scan unexpected user/system directories. 4) Review the remainder of the feedback implementation (truncated in the bundle) to ensure it does not perform network I/O or exfiltrate data. 5) Note the script will write graph.jsonl in your vault area (append mode); back up that directory if you care about provenance or atomicity. 6) The hard-coded project name list is unusual—check whether it will incorrectly tag or create project entities. If you want higher assurance, request the complete, untruncated source (full feedback routine) and confirm there are no network calls or credential usage before granting automated cron/agent runs.Like a lobster shell, security has layers — review code before you run it.
latestvk9789n22kfrnjgpxxt68137hph83geas
License
MIT-0
Free to use, modify, and redistribute. No attribution required.