Trilium

v0.0.1

Use when interacting with a Trilium Notes server via the ETAPI REST API - creating, reading, updating, searching, or deleting notes, branches, attributes, at...

⭐ 0· 119·0 current·0 all-time

by@yanickxia

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yanickxia/trilium-etapi.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Trilium" (yanickxia/trilium-etapi) from ClawHub.
Skill page: https://clawhub.ai/yanickxia/trilium-etapi
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install yanickxia/trilium-etapi

ClawHub CLI

Package manager switcher

npx clawhub@latest install trilium-etapi

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name, description, and endpoint reference all align with interacting with Trilium ETAPI. The operations shown (create/read/update/delete notes, branches, attributes, attachments, exports, backups) are coherent for a Trilium integration. However, the skill metadata lists no required environment variables or credentials while the instructions explicitly rely on TRILIUM_URL and TRILIUM_TOKEN (and optionally a password) — a mismatch between declared requirements and actual usage.

ℹ

Instruction Scope

SKILL.md contains concrete curl-based runtime instructions that read and write local files (e.g., --data-binary @body.html, -o subtree.zip), perform destructive actions (DELETE / notes, PUT /backup/, POST /import), and demonstrate exchanging a password for a token via /auth/login. These are all within the Trilium ETAPI domain, but the doc gives the agent broad discretion to read local files and write outputs and it assumes env vars exist. The instructions could cause data loss on the Trilium server if used without care.

✓

Install Mechanism

Instruction-only skill with no install spec and no bundled code. This is low-risk from an install/execution perspective (nothing is downloaded or written by an installer).

Credentials

The skill requests no env vars in its metadata, yet the runtime instructions assume TRILIUM_URL and TRILIUM_TOKEN (and show how to exchange a password). Required credentials (tokens/passwords) are typical for this API, but the omission from the declared requirements is an inconsistency that could cause accidental misconfiguration or unexpected credential usage. No unrelated credentials are requested, which is good, but the mismatch should be fixed.

✓

Persistence & Privilege

The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or global agent settings in the provided materials.

What to consider before installing

This skill appears to be a straightforward curl-based helper for the Trilium ETAPI, but there are a few practical concerns to consider before installing or letting an agent use it: - Metadata omission: The SKILL.md relies on TRILIUM_URL and TRILIUM_TOKEN (and shows exchanging a password for a token), but the skill metadata declares no required environment variables. Ask the publisher to declare TRILIUM_URL and TRILIUM_TOKEN (and any password usage) explicitly so you can audit and control what credentials are provided. - Destructive operations: Examples include DELETE /notes, POST /notes/{id}/import, and PUT /backup/{name}. Test with a safe, non-production Trilium instance first and prefer read-only operations to confirm behavior. - Local file I/O: The snippets read local files (e.g., --data-binary @body.html) and write outputs (e.g., -o subtree.zip). Ensure the agent has access only to intended files and that scripts run in a controlled directory. - Auth handling: Prefer supplying a pre-generated ETAPI token rather than a password. If you must use a password exchange, verify you are pointing to a trusted TRILIUM_URL and be aware the password is sent to that server. - Autonomous invocation: The skill can be invoked autonomously by the agent (platform default). That is normal, but because the skill can perform destructive actions on your Trilium server, restrict autonomous use or limit credentials to a read-only token for automated workflows where possible. If you plan to use this skill, request that the publisher update the skill metadata to declare the required env vars and document intended safety defaults (e.g., example tokens with limited scope or read-only tokens) so you can make an informed decision.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4wgyz859hp8r7qd63zs8b185709j

119downloads

0stars

1versions

Updated 1w ago

v0.0.1

MIT-0

Trilium ETAPI

Overview

ETAPI is the external REST API for Trilium Notes (Trilium ≥ 0.50). All requests require token auth. Resources are addressed by 12-char IDs: noteId, branchId, attributeId, attachmentId.

Core concepts:

Note — a content unit (HTML/code/file/image/...), identified by noteId
Branch — the parent-child relationship between two notes (the same note can be cloned under multiple parents)
Attribute — a label or relation attached to a note
Attachment — a binary or text payload owned by a note

When to Use

Bulk-create or import notes via script (daily notes, inbox, capture)
Push content into Trilium from external systems (RSS, email, webhooks)
Search/export Trilium content for consumption by other tools
Trigger server-side database backups, export subtrees
Debug ETAPI integrations (clients like trilium-py / trilium-client just wrap this API)

Do not use for scripts running inside Trilium — use the frontend/backend Script API directly, no HTTP needed.

Setup

All examples below assume:

export TRILIUM_URL="http://localhost:8080"   # no trailing /etapi
export TRILIUM_TOKEN="<generate via Trilium → Options → ETAPI>"

If you only have a password (and the server allows password login), exchange it for a token:

curl -sX POST "$TRILIUM_URL/etapi/auth/login" \
  -H 'Content-Type: application/json' \
  -d '{"password":"YOUR_PASSWORD"}' | jq -r .authToken

Three auth styles (pick one, in the Authorization header):

Authorization: $TRILIUM_TOKEN — raw token (works on every version)
Authorization: Bearer $TRILIUM_TOKEN — Bearer form (v0.93+)
Authorization: Basic $(echo -n "etapi:$TRILIUM_TOKEN" | base64) — Basic auth (v0.56+)

Quick Reference

Operation	Method	Path
Health / version	GET	`/etapi/app-info`
Search notes	GET	`/etapi/notes?search=...`
Read note metadata	GET	`/etapi/notes/{noteId}`
Read note content	GET	`/etapi/notes/{noteId}/content`
Write note content	PUT	`/etapi/notes/{noteId}/content` (text/plain)
Create note	POST	`/etapi/create-note`
Patch note metadata	PATCH	`/etapi/notes/{noteId}`
Delete note	DELETE	`/etapi/notes/{noteId}`
Export subtree as ZIP	GET	`/etapi/notes/{noteId}/export?format=html\|markdown`
Import ZIP	POST	`/etapi/notes/{noteId}/import`
Create / move branch	POST	`/etapi/branches`
Create attribute	POST	`/etapi/attributes`
Create attachment	POST	`/etapi/attachments`
Day note (auto-create)	GET	`/etapi/calendar/days/{YYYY-MM-DD}`
Inbox	GET	`/etapi/inbox/{YYYY-MM-DD}`
Trigger DB backup	PUT	`/etapi/backup/{name}`

Full endpoint, parameter, and schema reference: api-reference.md.

Core Patterns (curl + jq)

All snippets below assume TRILIUM_URL and TRILIUM_TOKEN are exported.

1. Health check

curl -s "$TRILIUM_URL/etapi/app-info" -H "Authorization: $TRILIUM_TOKEN" | jq

2. Create a text note

curl -sX POST "$TRILIUM_URL/etapi/create-note" \
  -H "Authorization: $TRILIUM_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "parentNoteId": "root",
    "title": "Hello from ETAPI",
    "type": "text",
    "content": "<p>Created via curl</p>"
  }' | jq '{noteId: .note.noteId, branchId: .branch.branchId}'

Returns NoteWithBranch: the new note plus the branch mounting it.

3. Replace note content

Content lives on a separate endpoint and the body is text/plain even when the content is HTML:

curl -sX PUT "$TRILIUM_URL/etapi/notes/$NOTE_ID/content" \
  -H "Authorization: $TRILIUM_TOKEN" \
  -H 'Content-Type: text/plain' \
  --data-binary @body.html

4. Search

# fulltext + label
curl -sG "$TRILIUM_URL/etapi/notes" \
  -H "Authorization: $TRILIUM_TOKEN" \
  --data-urlencode 'search=tolkien #book' \
  --data-urlencode 'limit=10' | jq '.results[] | {noteId, title}'

Search syntax matches the Trilium UI search bar. Common forms: #tag, #tag=value, note.content *= "...", ~relation.title = "...".

5. Tag a note

curl -sX POST "$TRILIUM_URL/etapi/attributes" \
  -H "Authorization: $TRILIUM_TOKEN" \
  -H 'Content-Type: application/json' \
  -d "{
    \"noteId\": \"$NOTE_ID\",
    \"type\": \"label\",
    \"name\": \"book\",
    \"value\": \"\",
    \"isInheritable\": false
  }"

6. Day note (auto-created on demand)

TODAY=$(date +%F)
curl -s "$TRILIUM_URL/etapi/calendar/days/$TODAY" \
  -H "Authorization: $TRILIUM_TOKEN" | jq -r .noteId

7. Clone a note to another location (branch)

curl -sX POST "$TRILIUM_URL/etapi/branches" \
  -H "Authorization: $TRILIUM_TOKEN" \
  -H 'Content-Type: application/json' \
  -d "{
    \"noteId\": \"$CHILD_ID\",
    \"parentNoteId\": \"$NEW_PARENT_ID\",
    \"prefix\": \"\",
    \"notePosition\": 100,
    \"isExpanded\": false
  }"

8. Export a subtree as ZIP

curl -s "$TRILIUM_URL/etapi/notes/$NOTE_ID/export?format=markdown" \
  -H "Authorization: $TRILIUM_TOKEN" -o subtree.zip
# Whole document: use noteId="root"

9. Trigger a server-side backup

curl -sX PUT "$TRILIUM_URL/etapi/backup/now" \
  -H "Authorization: $TRILIUM_TOKEN"
# Writes to dataDirectory/backup/backup-now.db

Common Pitfalls

Don't add a Bearer prefix to Authorization unless you're on v0.93+ and explicitly want Bearer. The raw token form works on every version.
PUT /notes/{id}/content body is text/plain (NOT text/html). The OpenAPI spec is explicit on this.
PATCH /notes/{id} only patches a subset: title, type, mime, dateCreated, utcDateCreated. Use PUT .../content to change content.
PATCH /branches/{id} only patches prefix and notePosition. To re-parent a note you must DELETE the branch and POST a new one.
PATCH /attributes/{id}: labels can only patch value and position; relations can only patch position. Anything else means delete + recreate.
Deleting the last branch of a note also deletes the note. Watch out when DELETE-ing branches.
notePosition defaults to step 10 (10/20/30...). To insert in front, use 5; to push to the end, use a large value like 1000000. After bulk reorders, call POST /refresh-note-ordering/{parentNoteId} so connected clients refresh.
EntityId pattern is [a-zA-Z0-9_]{4,32}. root is the special root noteId.
Error responses are always {status, code, message}. Branch on the stable code constant (e.g. NOTE_IS_PROTECTED), not on the human-readable message.
/auth/login is rate-limited. Too many failures returns 429 and temporarily blacklists the client IP.

Note Types

type	Use	mime required?
`text`	Rich text (HTML)	no
`code`	Source code	yes (e.g. `text/x-python`)
`file`	Binary file	yes
`image`	Image	yes (e.g. `image/png`)
`search`	Saved search	no
`book`	Folder-style container	no
`relationMap`	Relation map	no
`render`	Custom renderer	no

You may also see these on read: noteMap, mermaid, webView, shortcut, doc, contentWidget, launcher.

Workflow: Append to today's day note

A typical inbox / capture flow — append arbitrary text to today's day note:

TODAY=$(date +%F)
NOTE_ID=$(curl -s "$TRILIUM_URL/etapi/calendar/days/$TODAY" \
  -H "Authorization: $TRILIUM_TOKEN" | jq -r .noteId)

OLD=$(curl -s "$TRILIUM_URL/etapi/notes/$NOTE_ID/content" \
  -H "Authorization: $TRILIUM_TOKEN")

NEW="${OLD}<p>$(date +%H:%M) — $1</p>"

curl -sX PUT "$TRILIUM_URL/etapi/notes/$NOTE_ID/content" \
  -H "Authorization: $TRILIUM_TOKEN" \
  -H 'Content-Type: text/plain' \
  --data-binary "$NEW"

When You Need More

Full endpoint, parameter, and schema reference → api-reference.md
Python clients: trilium-py or trilium-client
TypeScript types: trilium-api
Search syntax: see Trilium docs → Search

Comments

Loading comments...