ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Obsidian Cloudflare Pages

Publish selected Obsidian markdown from a vault to a static site and deploy to Cloudflare Pages.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 224 · 1 current installs · 1 all-time installs
byDavid O.@davidyoh
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (publish Obsidian/Markdown to Cloudflare Pages) align with the included CLI (bin/publishmd-cf.js), README, and SKILL.md. Required binaries and env vars described in the docs (node, rsync, npm, npx, quartz, wrangler, CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID) are exactly what a Cloudflare Pages deployer + static-site builder would need.
Instruction Scope
Instructions and the CLI operate within the publishing workflow (init, wizard, sync, build, deploy). The script intentionally reads an Obsidian config file (~/Library/Application Support/obsidian/obsidian.json) to detect vaults — this is consistent with its purpose but is macOS-specific. The sync step runs destructive commands (rm -rf "<dest>"/* and rsync into the workspace) and the README/SKILL.md explicitly warn that a fallback bootstrap may clear files in the configured workspace. These destructive operations are expected for a sync/deploy tool but mean you should point the skill at a dedicated/test workspace and review config before running.
Install Mechanism
No install spec — instruction-only with a bundled Node CLI. That is the lowest-install-risk category. The script uses child_process.execSync to invoke system binaries (rsync, npx, wrangler), which is expected for a CLI orchestration tool and matches the declared prerequisites.
Credentials
The skill does not require unrelated credentials. It expects Cloudflare API token and account id environment variables (names configurable) — appropriate for deploying to Pages. A caution: the wizard and config store basic-auth username/password and some settings in the skill-local config/config.json (and .env is recommended for tokens). Storing credentials in config.json or leaving .env in an unprotected location would expose secrets; the docs recommend .env and not committing personal config.
Persistence & Privilege
always:false and normal autonomous invocation defaults. The skill writes its own config (config.json), may create middleware at <workspace>/functions/_middleware.js for basic auth, and will modify files under the configured workspace/content directory. It does not request elevated agent-wide privileges or edit other skills' configs. Because it can delete/overwrite workspace content, the user should configure an isolated workspace.
Assessment
This skill appears to do what it says: sync selected Markdown from an Obsidian vault, build with Quartz, and deploy to Cloudflare Pages. Before running it: 1) Use a dedicated test workspace directory (the tool runs rm -rf on the publish content folder and may clear the workspace during bootstrap). 2) Provide a scoped Cloudflare API token (Pages:Edit and DNS:Edit only if you need DNS automation). 3) Keep secrets out of chat and prefer the skill-local .env (and never commit your .env or config.json with real credentials). 4) Review config/config.json after running the wizard — basic auth credentials may be stored in plaintext there unless you move them to a protected .env. 5) If you're not on macOS, vault auto-detection may not work (the script checks a macOS-specific path). If any of these behaviours are unacceptable (deletion of workspace files or plaintext credentials), do not install or run the skill until you have reviewed/modified the code and configured a safe workspace.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk970xpd9ef8k98sfnhw499ppmx829gaa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Skill: Obsidian/Markdown → Cloudflare Pages

This is an OpenClaw Skill for publishing Markdown to Cloudflare Pages.

  • Works with Obsidian vault folders or any Markdown folder
  • Originally built for reading Obsidian Web Clipper output:

Automates a safe publishing flow:

  1. Select notes from your source folder
  2. Sync to a publish workspace
  3. Build static HTML with Quartz
  4. Deploy to Cloudflare Pages

Commands

  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js init
    • Creates config/config.json from example
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js wizard
    • Interactive setup wizard for config (vault, folders, site/domain, Cloudflare project)
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js setup-project
    • Initializes Quartz project in configured workspace if missing
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js doctor
    • Validates paths + required binaries
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js sync
    • Syncs selected notes/assets into publish content folder
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js build
    • Runs Quartz build in project dir
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js deploy
    • Deploys to Cloudflare Pages with wrangler
  • node skills/obsidian-cloudflare-pages/bin/publishmd-cf.js run
    • sync → build → deploy

Config

Copy and edit:

skills/obsidian-cloudflare-pages/config/config.example.jsonskills/obsidian-cloudflare-pages/config/config.json

Safety defaults

  • Publish allowlist by folder
  • Optional publish: true frontmatter gate
  • Exclude private folders by default

Requirements

  • node 20+
  • rsync
  • npm
  • npx quartz
  • wrangler

Cloudflare API token setup (recommended)

Create a Cloudflare API token with at least:

  • Account → Cloudflare Pages:Edit
  • (Optional) Zone → DNS:Edit if you want DNS automation elsewhere

You can either export env vars in your shell profile (~/.zshrc) or use the skill-local .env file.

Option A: shell profile (~/.zshrc)

export CLOUDFLARE_API_TOKEN="<your-token>"
export CLOUDFLARE_ACCOUNT_ID="<your-account-id>"

Reload shell:

source ~/.zshrc

Option B: skill-local env file (recommended for this skill)

cp skills/obsidian-cloudflare-pages/.env.example skills/obsidian-cloudflare-pages/.env
# then edit .env

The CLI auto-loads skills/obsidian-cloudflare-pages/.env (without overriding existing shell env vars).

Wizard now asks for:

  • Full production domain (e.g. YOURDOMAIN.COM)
  • Branding settings (root source folder, source index label, root index label, sidebar title HTML)
  • Token/account env var names (defaults above)
  • Optional basic-auth protection (username/password)

Notes

  • ⚠️ setup-project fallback behavior: if the direct Quartz bootstrap command fails, the fallback path may clear files in the configured workspace directory before cloning Quartz. Use a dedicated workspace path for this skill.

OpenClaw usage tips

Example prompts:

  • “Set up obsidian-cloudflare-pages wizard for my markdown folder.”
  • “Run doctor and tell me what dependency is missing.”
  • “Sync, build, and deploy to Cloudflare Pages.”
  • “Enable basic auth and redeploy.”

Best practices:

  • Keep secrets in .env (never in chat logs)
  • Commit config.example.json, not personal config.json
  • Use a scoped Cloudflare token (Pages edit, DNS edit only if needed)
  • Start on a test subdomain before production

Standalone usage (outside OpenClaw)

This works as a plain Node CLI too:

node bin/publishmd-cf.js init
node bin/publishmd-cf.js wizard
cp .env.example .env
# fill .env values
node bin/publishmd-cf.js run

Security note

Basic auth in this skill is intentionally simple and optional. Do not publish highly sensitive content unless you fully understand your security model and hardening choices.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…