ClawHub

graphthulhu

v1.0.0

Knowledge graph MCP server for Logseq and Obsidian. 37 tools for reading, writing, searching, and analyzing your second brain.

0· 478·2 current·2 all-time
byMax Skridlevsky@skridlevsky
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared required binary (graphthulhu) and the SKILL.md both describe an MCP server for Logseq and Obsidian, which is coherent. However registry metadata lists no required env vars or source/homepage, while SKILL.md points to a GitHub project and documents LOGSEQ_API_URL and LOGSEQ_API_TOKEN usage — a metadata mismatch that should be clarified.
Instruction Scope
Instructions are scoped to running a local graphthulhu binary and configuring MCP entries for Obsidian (vault path) or Logseq (HTTP API URL + token). That aligns with the stated functionality, but the skill explicitly requires full read/write access to your vault (create/update/delete/rename blocks/pages), which is high-privilege — expected for this purpose but worth explicit consent and backups.
!
Install Mechanism
No formal install spec in the registry; SKILL.md tells users to download a binary from GitHub Releases or run `go install github.com/skridlevsky/graphthulhu@latest`. Both options execute third-party code on the machine. Downloading arbitrary binaries or building from a remote repo carries moderate risk and should be audited (verify releases, checksums, and source code) before running.
!
Credentials
Registry declares no required env vars, but the Logseq example uses LOGSEQ_API_URL and LOGSEQ_API_TOKEN (credentials that grant access to local Logseq content). Requiring a token for Logseq is proportionate to the feature, but the omission from metadata is a discrepancy; confirm required env vars and limit token scope where possible.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform-wide privileges. It will invoke a local binary you install; autonomous agent invocation is allowed by default (normal), so be aware an agent could call this binary if the skill is enabled.
What to consider before installing
This skill appears to be what it says (an MCP server for Logseq/Obsidian) but take these precautions before installing: 1) Confirm the GitHub repository and inspect the source/release assets (checksums, signatures) before running the binary or using `go install`. 2) Recognize the tool gets full read/write access to your vault — back up your notes and restrict the Logseq token scope. 3) Ask the publisher or registry maintainer to update metadata to list the LOGSEQ_API_URL/LOGSEQ_API_TOKEN requirement and the GitHub source. 4) Prefer running the binary in a controlled environment (sandbox or dedicated machine) until you trust it. If you want higher confidence, request a signed release, checksum, or an install spec from a well-known package host.

Like a lobster shell, security has layers — review code before you run it.

knowledge-graphvk972dncm3nz60758ajcscrj5k581rsaelatestvk972dncm3nz60758ajcscrj5k581rsaelogseqvk972dncm3nz60758ajcscrj5k581rsaemcpvk972dncm3nz60758ajcscrj5k581rsaememoryvk972dncm3nz60758ajcscrj5k581rsaeobsidianvk972dncm3nz60758ajcscrj5k581rsaesecond-brainvk972dncm3nz60758ajcscrj5k581rsae

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgraphthulhu

Comments