Obsidian
steipete/obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli.
Install command
brew install yakitrak/yakitrak/obsidian-cliRuntime requirements
Runtime requirements💎 ClawdisBinsobsidian-cli
Security scan
Security ScanVirusTotalVirusTotalSuspiciousView report →OpenClawOpenClawSuspiciousmedium confidenceThe skill's instructions are plausible for automating Obsidian via obsidian-cli, but there are several inconsistencies and privacy-relevant actions (reading a user config file) that aren't declared or explained.Details ▾ℹPurpose & CapabilityThe SKILL.md describes exactly the expected functionality (use obsidian-cli to operate on Obsidian vaults). However the skill registry metadata at the top of the package claims no required binaries or install steps, while the embedded SKILL.md metadata requires the 'obsidian-cli' binary and even provides a brew install. This mismatch between declared requirements and the runtime instructions is inconsistent and should be resolved.!Instruction ScopeRuntime instructions explicitly tell the agent to read the user's Obsidian config at '~/Library/Application Support/obsidian/obsidian.json' to discover vaults. That is a user-home file containing personal metadata about vault locations; reading it is outside a trivial 'note editing' scope and is not declared in the registry-level config. The instructions also assume Obsidian desktop and functioning URI handlers, and give commands that operate on user files (create/move/delete). The skill therefore directs file reads/changes in the user's home directory without those paths being declared.ℹInstall MechanismThere is no formal install spec in the registry listing, but the SKILL.md includes an install hint: a brew formula 'yakitrak/yakitrak/obsidian-cli'. Using Homebrew is common, but this references a third-party tap (yakitrak) rather than a canonical upstream package. That raises modest risk: the formula source is not an obviously well-known official release host.!CredentialsThe registry lists no required environment variables or config paths, yet the instructions require reading a specific config file in the user's home directory to find vault paths. Accessing that personal config file is a credential/data-access decision and should be declared. No other credentials are requested, which is proportionate, but the undeclared file access is the main issue.✓Persistence & PrivilegeThe skill…