Security Audit

obsidian-conversation-backup

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

obsidian-conversation-backup received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 4 critical, 2 high, 0 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Command Injection via unsanitized user input in install.sh, Path Traversal via unsanitized topic name in save_full_snapshot.sh.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

10%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

3 findings

Shell Execution

2 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/laserducktales/obsidian-conversation-backup/SKILL.md:44
CRITICAL	Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/laserducktales/obsidian-conversation-backup/SKILL.md:187
CRITICAL	Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/laserducktales/obsidian-conversation-backup/install.sh:56
CRITICAL	Command Injection via unsanitized user input in install.sh The `install.sh` script uses user-provided paths (VAULT_PATH, SESSION_DIR, TRACKING_DIR) directly within `sed -i` commands. If these inputs contain shell metacharacters or `sed` delimiters (like '\|', '&', ';', '`', '$', etc.), an attacker could inject and execute arbitrary commands on the system. The `read -p` command does not sanitize input, making this a direct command injection vulnerability. Sanitize user input by escaping all shell metacharacters and `sed` delimiters before using it in `sed` commands. Alternatively, use a safer configuration method that does not involve direct string substitution with unsanitized input, such as templating with a dedicated tool or environment variables.	LLM	install.sh:30
HIGH	Path Traversal via unsanitized topic name in save_full_snapshot.sh The `save_full_snapshot.sh` script constructs a filename using a user-provided topic name (`$1`). If the topic name contains path traversal sequences (e.g., '../', '/'), an attacker could write files to arbitrary locations outside the intended `VAULT_DIR`. This could lead to overwriting critical system files or placing malicious content in unexpected directories. Sanitize the user-provided topic name (`$TOPIC`) by removing or replacing path separators ('/', '..') and other potentially dangerous characters. Restrict the topic name to alphanumeric characters, hyphens, and underscores, or implement strict validation to ensure it only represents a valid filename component.	LLM	scripts/save_full_snapshot.sh:15
HIGH	Access to sensitive Telegram Bot Token and potential for data exfiltration The `monitor_and_save.sh` script attempts to read a Telegram bot token from `/root/.clawdbot/clawdbot.json`. While the script intends to use this token in a `curl` command to send token usage warnings to `api.telegram.org`, the `CHAT_ID` variable required for the `curl` command is undefined, rendering the notification functionality non-operational. However, the skill still accesses a sensitive credential (the bot token) from a system file. This access, combined with the intended external network communication, poses a risk. If `CHAT_ID` were to be defined from an untrusted source, or if the `curl` command itself were vulnerable to injection, the bot token could be exfiltrated to an attacker-controlled server. Minimize the scope of access to sensitive credentials. If external notifications are critical, consider using a more secure mechanism that does not expose the raw token to the shell environment or rely on direct `curl` calls. Ensure all variables used in `curl` commands are strictly validated and sanitized. Define `CHAT_ID` securely or remove the Telegram notification feature if not strictly necessary. Implement least privilege for the skill's execution environment.	LLM	scripts/monitor_and_save.sh:80

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ac4772c193247183.svg)](https://skillshield.io/report/ac4772c193247183)