by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to do what it says (auto-commit, pull --rebase, push, and signal conflicts), but review and test before deploying. Concrete precautions:
- Inspect the two scripts yourself. They run git init / git remote add and will modify the vault directory and .git metadata; run them first on a throwaway test copy of your vault.
- The registry metadata does not declare required env vars; set and verify these before running: OBSIDIAN_VAULT_DIR and GITHUB_REMOTE_URL. Ensure the remote URL/...详细分析 ▾
ℹ 用途与能力
The name/description (Obsidian <-> GitHub sync) aligns with the included scripts: they commit local changes, pull --rebase, and push to a remote. The behavior (conflict flagging, cron/systemd examples) is consistent with the stated purpose. Minor mismatch: scripts assume branch name 'master' which may not match many repos using 'main'.
ℹ 指令范围
SKILL.md and the two scripts instruct the agent (and a user) to read and write the vault directory, create/modify the .git repository, write logs (/tmp/obsidian-sync.log) and a conflict flag (/tmp/obsidian-sync-conflict.flag), and run git operations (init, remote add, commit, pull --rebase, push). These actions stay within the scope of syncing but are far-reaching (they can initialize repos and modify git history). The instructions do not request or transmit data to any unexpected external endpoints beyond the configured GitHub remote.
✓ 安装机制
No install spec and only small shell scripts are included. Nothing is downloaded from external URLs and no archives are extracted. Risk from installation is low because there is no automated network install step.
⚠ 凭证需求
The registry metadata lists no required environment variables, but SKILL.md and the scripts require OBSIDIAN_VAULT_DIR and GITHUB_REMOTE_URL (and optionally other env vars). That mismatch is an incoherence: the skill effectively needs filesystem and git/SSH access but the registry does not declare or surface those requirements. The requested env variables themselves are reasonable for the task (they don't include unexpected secret tokens), but GITHUB_REMOTE_URL implies use of SSH keys or credentials which the skill does not manage.
✓ 持久化与权限
always:false and the skill is user-invocable; it does not demand forced always-on presence. The scripts suggest adding cron/systemd timers but that is optional and under user control. The skill does modify the vault directory (including initializing a .git repo) which is expected for its purpose but is a privileged filesystem action the user should approve.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/19
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install obsidian-github-sync
镜像加速npx clawhub@latest install obsidian-github-sync --registry https://cn.longxiaskill.com