Back to skill
Skillv1.0.0
ClawScan security
Obsidian Master Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 1:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with an Obsidian configuration and AI-integration helper; it does not request unexplained credentials or perform hidden network or file access in the provided files.
- Guidance
- This skill appears to be what it claims: an Obsidian configuration and template helper. Before installing, consider: (1) review the SKILL.md and src/index.js (they are small and readable) so you know which files will be created (memory/ and markdown guides); (2) only provide API keys (Claude, Google AI Studio, Telegram/WeChat tokens) if you intend to enable the optional integrations—those integrations will ingest message content and could persist it to memory/; (3) monitor the generated files and the memory/ folder for any personal data you don't want stored; (4) if you plan to connect messaging channels, follow the platform best practices for token handling and revoke tokens you no longer use. Overall the skill is coherent and low-risk based on the supplied files.
Review Dimensions
- Purpose & Capability
- okName/description (Obsidian configuration, templates, AI integration) align with the included files and runtime behavior. The repo and SKILL.md only provide configuration guidance, templates, and text outputs; the bundled src/index.js returns guides/templates and does not require external credentials or unrelated system access.
- Instruction Scope
- noteSKILL.md and src/index.js remain scoped to producing configuration guides, templates, and OpenClaw integration suggestions. It does recommend wiring OpenClaw to messaging channels (Telegram/WeChat) and writing to a local memory/ directory; while this is coherent with the skill's purpose, it means the user may later configure external integrations that ingest personal messages. The skill itself does not contain code that automatically exfiltrates data or calls external endpoints.
- Install Mechanism
- okNo install specification and no package dependencies are declared. This instruction-only + small JS implementation approach minimizes installation risk; nothing is downloaded from external URLs or installed automatically by the skill.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. Mentions of optional API keys (Claude, Google AI Studio) are expected for AI integrations and are optional. There are no unexpected credential requests in code or SKILL.md.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. The SKILL.md recommends generating files into the user's workspace (e.g., memory/ and guide markdowns); this is appropriate for a configuration/template skill. The skill does not modify other skills or system-wide settings in its files.