ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Obsidian Official CLI Skill

v1.0.0

Work with Obsidian vaults using the official Obsidian CLI (v1.12+). Open, search, create, move, and manage notes from the terminal. Use when working with Obsidian vaults for note management, file operations, searching content, managing tasks, properties, links, plugins, themes, sync operations, or any command-line interaction with Obsidian.

2· 2.7k·16 current·16 all-time
by@slmoloch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description describe using the official Obsidian CLI and the SKILL.md contains detailed, coherent CLI commands and examples that match that purpose. No unrelated credentials, binaries, or services are requested.
Instruction Scope
The SKILL.md instructs the agent to run local obsidian CLI commands (create/move/delete notes, manage plugins, take screenshots, access developer console/DOM inspection). Those are within the skill's domain, but they grant broad access to your vault and Obsidian app state (including destructive file operations and plugin/theme management). This is expected for an Obsidian CLI skill but worth attention: the agent may read, modify, or delete local notes and settings.
Install Mechanism
There is no install spec in the registry (instruction-only skill). README suggests downloading a .skill file from a GitHub releases page, but registry metadata lists source/homepage as unknown/none — an inconsistency in provenance. No archived downloads or remote installers are embedded in the skill bundle itself.
Credentials
The skill requests no environment variables or credentials. It does require the user to have Obsidian 1.12+ with the CLI enabled and the obsidian command registered locally — these are proportional to the described functionality.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (default). Autonomous invocation is normal for skills; this skill does not request elevated system-wide privileges or to persist in other skills' configs.
Assessment
This skill appears to do what it says — it runs your local obsidian CLI and can read and change files in your vault. Before installing: (1) verify the skill package comes from a trusted source (the registry shows no homepage/source even though README references a GitHub releases URL), (2) back up your vaults, (3) test the obsidian CLI manually (obsidian version; a few safe read commands) to confirm your setup, (4) be aware the agent can run destructive commands (delete/move, plugin install/enable), so only allow the skill if you trust the skill/publisher or run it in a sandbox/test vault. If provenance is unclear, prefer skills with a verifiable repository or official homepage.

Like a lobster shell, security has layers — review code before you run it.

latestvk978vxed8z8jk8003w6gpj8xw980zxmr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments