ClawAudit verdict

obsidian-plugin-dev

obsidian-plugin-dev-skill

88
๐ŸŸข Trusted
Low risk โ€” reviewed by ClawAudit, behavior matches stated purpose

Receives external input AND uses eval

Obsidian plugin development reference skill covering TypeScript plugin lifecycle, APIs, and CI/CD; dynamic_eval is a capabilities hint but no malicious eval pattern appears in the content.

Automated static analysis โ€” not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
80
transparency
90
maintenance

What it does

These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence โ€” it does not verify that one flows into another. Read the code to confirm a live chain.

Capability combination critical

Receives external input AND uses eval โ€” the remote code-injection pattern (data-flow not verified)

LLM01 ยท LLM05 ยท ASI01 ยท ASI05

Findings (3)

Pattern match critical

<script> tag in markdown โ€” potential code injection

reference/frameworks.md ยท code ยท <script>

Pattern match high

Uses exec() โ€” may execute shell commands

reference/editor-extensions.md ยท code ยท exec(

Pattern match medium

Base64 encode (btoa) โ€” may obfuscate data exfiltration

reference/security.md ยท code ยท btoa(

Permissions & capabilities

No declared permissions โ€” minimal attack surface.

network_indynamic_eval
Check another skill Browse the registry Auditing your own skills or configs? Use the API