Obsidian Local REST API
v1.1.0Read, write, search, append, patch, and manage notes in any Obsidian vault via the Local REST API on Windows, macOS, or Linux.
⭐ 0· 31·0 current·0 all-time
byOnly 1 Naren@nj070574-gif
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the requested environment (OBSIDIAN_URL, OBSIDIAN_API_KEY) and all prescribed actions (curl to plugin endpoints) are directly related to the Obsidian Local REST API.
Instruction Scope
Instructions require editing the systemd service, restarting it, and inspecting /proc/<pid>/environ to verify env vars — these are relevant to ensuring the gateway process has the credentials but are system-level operations that require root and access to process environment. The docs also recommend printing or hardcoding API keys for testing and instruct use of `curl -sk` (skip TLS verification). These steps are functional but increase the chance of accidental secret exposure.
Install Mechanism
This is instruction-only (no install spec), so nothing is written by the installer. Manual install instructions point to a personal GitHub repo (https://github.com/nj070574-gif/openclaw-obsidian-vault-skill) if the user chooses that path — cloning a third-party repo is normal but should be reviewed before use.
Credentials
The only required environment variables are OBSIDIAN_URL and OBSIDIAN_API_KEY, which are appropriate. However, the SKILL.md suggests actions that can leak the API key (echoing it, substituting literal keys into commands, reading process env, and using curl -sk). Those are disproportionate from a secrecy-handling perspective and deserve caution.
Persistence & Privilege
Skill does not request always:true or other elevated platform privileges. It asks operators to add env vars to the OpenClaw systemd service (normal for a service-bound credential) and restart the service — this is a standard installation step and confined to the service.
Assessment
This skill appears to do exactly what it says: talk to the Obsidian Local REST API using an API key and URL. Before installing, consider the following: (1) The skill requires storing your Obsidian API key in the OpenClaw service environment — store secrets with restrictive file permissions and avoid pasting them into shells where they appear in history. (2) The instructions recommend curl -sk (skip TLS verification) and may suggest hardcoding the key for a session — prefer properly-signed TLS or a secure local network, and avoid hardcoding secrets in commands. (3) Verifying env vars via /proc/<pid>/environ and echoing key length can expose secrets to other admins/users — run checks as root only when necessary and remove test outputs. (4) The manual install references a personal GitHub repo; if you plan to clone it, review its contents before running. (5) If you need tighter security, consider alternative secret delivery (systemd drop-ins with limited perms, a secrets manager, or making the plugin listen on localhost-only and using firewall rules). If you accept these operational tradeoffs and follow safer secret-handling practices, the skill is coherent with its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk975cs08v43ajep0d1r84s6mpd84p376
License
MIT-0
Free to use, modify, and redistribute. No attribution required.