← Back to Skills Marketplace
415
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install openclaw-skill-obsidian-cloudflare-pages
Description
Publish selected Obsidian markdown from a vault to a static site and deploy to Cloudflare Pages.
Usage Guidance
This skill appears to implement the advertised Obsidian→Cloudflare Pages workflow, but review these items before using it:
- Provide Cloudflare credentials only via a local .env or shell environment; the skill expects CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID but the registry metadata did not declare them — that is a manifest omission. Treat this as intentional: the tool needs a Cloudflare token to deploy.
- The wizard can store a basic-auth password directly into config.json (plaintext) unless you explicitly use env-backed credentials; prefer BASIC_AUTH_USERNAME/PASSWORD in your environment and do not commit config.json.
- The CLI will attempt to read files in your home directory (it tries to detect Obsidian vaults at a macOS path). If you don't want that, run on a controlled machine or edit the script.
- The script can run arbitrary shell commands (rsync, npx quartz, wrangler) and has a fallback that may clear the configured workspace when ALLOW_DESTRUCTIVE=1 is set — only point the workspace to a dedicated path you can safely wipe.
- Use --dry-run / DRY_RUN=1 first to preview actions, inspect bin/publishmd-cf.js for any code you are uncomfortable with, and consider running the workflow on a test subdomain before production.
If these caveats are acceptable and you verify the code, the skill itself is coherent with its purpose; the main issues are the missing manifest declaration for required envs and the potential for accidental plaintext secret storage and destructive workspace operations.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-skill-obsidian-cloudflare-pages
Version: 1.0.2
The skill is classified as suspicious due to a shell injection vulnerability in the `sh` function within `bin/publishmd-cf.js`, where configuration values (such as project names or branches) are directly interpolated into `execSync` calls without sanitization. The script also performs local data discovery by reading the Obsidian application's internal configuration file (`obsidian.json`) to locate vaults and handles sensitive credentials by writing them into a generated `_middleware.js` file for deployment. While these actions are aligned with the stated purpose of automating Obsidian-to-Cloudflare publishing, the lack of input validation and the handling of secrets represent significant security flaws.
Capability Assessment
Purpose & Capability
Name and description align with the included CLI and code: it syncs markdown, builds with Quartz, and deploys with Wrangler. However the registry metadata does not declare the Cloudflare API credentials the code actually expects (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID), which is an omission in the manifest.
Instruction Scope
SKILL.md and the CLI instruct only the expected publish flow (init, wizard, sync, build, deploy). The CLI also reads files in the user home (detectOpenVaults checks ~/Library/Application Support/obsidian/obsidian.json) to auto-detect vaults, and the wizard can write secrets into config.json (basicAuth.password) if provided — the README warns about this but the functionality exists. The skill runs shell commands (rsync, npx quartz, wrangler) via execSync; these are expected for the task but will execute arbitrary local commands.
Install Mechanism
No install spec or remote downloads; the skill is instruction-only with a bundled Node CLI. Nothing is pulled from arbitrary URLs during install. Users must have Node, npm, rsync, npx, and wrangler installed separately.
Credentials
The skill requires Cloudflare credentials (CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID) and optionally basic auth credentials, but the registry metadata lists no required env vars or primary credential. This mismatch is a manifest omission that makes it harder to audit what secrets the skill needs. The wizard can also persist basic auth passwords into config.json (plaintext) unless the user explicitly uses env-backed credentials, which increases risk of accidental secret leakage.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges. It can clear a workspace directory as part of a fallback setup, but that destructive behavior is gated by the ALLOW_DESTRUCTIVE=1 environment variable and there are explicit guards (assertSafePath) and warnings in the docs. Still, this capability is powerful and must be used only on a dedicated workspace path.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-skill-obsidian-cloudflare-pages - After installation, invoke the skill by name or use
/openclaw-skill-obsidian-cloudflare-pages - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Republish verification
v1.0.1
Hardening + docs polish + banner update
Metadata
Frequently Asked Questions
What is OpenClaw Skill: Obsidian Markdown to Cloudflare Pages?
Publish selected Obsidian markdown from a vault to a static site and deploy to Cloudflare Pages. It is an AI Agent Skill for Claude Code / OpenClaw, with 415 downloads so far.
How do I install OpenClaw Skill: Obsidian Markdown to Cloudflare Pages?
Run "/install openclaw-skill-obsidian-cloudflare-pages" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Skill: Obsidian Markdown to Cloudflare Pages free?
Yes, OpenClaw Skill: Obsidian Markdown to Cloudflare Pages is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw Skill: Obsidian Markdown to Cloudflare Pages support?
OpenClaw Skill: Obsidian Markdown to Cloudflare Pages is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Skill: Obsidian Markdown to Cloudflare Pages?
It is built and maintained by David O. (@davidyoh); the current version is v1.0.2.
More Skills