← Back to Skills Marketplace
267
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pop-obsidian
Description
Plugin Orchestration Protocol (POP) for Obsidian integration. Use this skill when the user mentions "POP", "Obsidian plugin", "pipeline orchestration", "idea...
Usage Guidance
Before installing or enabling this skill, get concrete answers to these questions: 1) Where and how is the ATOM token generated and stored? The manifest shows $ATOM_TOKEN_RESONANCE in pipeline payloads but the skill metadata declares no required env vars — do not provide any sensitive environment variables until you confirm what exactly will be sent and to whom. 2) Which external binaries/services must be installed on the host (AutoFigure, Pandoc, Rust bridge), and can you review those repositories and their network behavior? 3) What happens when ai_expand falls back to 'Claude API' — what endpoint, what data is sent, and is that acceptable for your vault contents? 4) Where does the 'publish' step actually post content (URL/host)? Ensure it is an explicit, reviewed endpoint. 5) If you must use this skill, restrict which environment variables the orchestrator may access, run the Rust bridge locally behind a firewall, and avoid supplying secrets or high-privilege tokens until the implementation and endpoints are audited. If the publisher can provide the Rust bridge source and the Obsidian plugin code (or a vetted build), review those to confirm no external endpoints are hard-coded and that environment-variable substitution is safe.
Capability Analysis
Type: OpenClaw Skill
Name: pop-obsidian
Version: 1.0.0
The skill implements a complex JSON-RPC orchestration protocol (POP) for Obsidian via a local WebSocket bridge (ws://127.0.0.1:8088). A significant security concern is the protocol's explicit support for accessing system environment variables via '$ENV_VAR' syntax (defined in protocol-spec.md), which provides a direct path for data exfiltration if the agent is misdirected. While the bundle's stated purpose is document and research automation, the combination of environment variable access, local network communication, and the requirement for external tool execution (e.g., 'autofigure' via pip) creates a high-risk surface without clear evidence of intentional malice.
Capability Assessment
Purpose & Capability
The skill's stated purpose (orchestrating multi-step pipelines in Obsidian via a local WebSocket bridge) matches the instructions and reference files: discovery, execution, step reporting and coherence checks are all described and the included plugin catalog and protocol spec align with that purpose. However, the protocol and templates reference required tools and tokens (ATOM token, AutoFigure, Pandoc, Claude API fallback) that are not declared in the skill metadata (no required env vars, no required binaries). This mismatch is noteworthy but could be explained by the skill assuming the host already provides these components.
Instruction Scope
SKILL.md and protocol-spec permit pipelines to reference environment variables via $ENV_VAR syntax and show $ATOM_TOKEN_RESONANCE used in payloads, but the skill does not declare any required env vars. The plugin-catalog explicitly says ai_expand may 'fall back to Claude API directly if no plugin is installed' — that means vault content could be sent to external third-party APIs. Pipeline steps include create/delete/update note operations and publishing steps (including an unspecified 'publish' to a platform using ATOM auth). The instructions therefore allow (and in places instruct) reading and transmitting potentially sensitive vault content and environment variables to other processes or networks; this scope is broader than the simple 'Obsidian plugin orchestration' label might suggest.
Install Mechanism
This is an instruction-only skill (no install spec) which is lower friction, but the reference docs require external components (e.g., 'Requires: pip install autofigure' for figure generation; Pandoc binary for export_docx) and a Rust WebSocket bridge. Those requirements are not documented in the metadata or enforced by an install step, creating an incoherence: the skill depends on host-side binaries and services that the installer may not know to install. Absence of install instructions makes it easy to miss these dependencies and increases risk if operators install unspecified third-party tools later without review.
Credentials
The protocol relies on an ATOM token (ATOM_TOKEN_RESONANCE) included in EXECUTE_PIPELINE messages and allows arbitrary $ENV_VAR substitution in step params, but the skill declares no required environment variables. That gap is important: pipelines can embed environment values into messages that will be dispatched to the bridge and possibly to external services (e.g., LLM fallback or publish steps). This gives potential for accidental or intentional exfiltration of secrets if an agent substitutes sensitive env vars into pipeline params. The skill also references conservation/NEAR verification and other cross-service artifacts that may require secrets or keys, yet none are declared.
Persistence & Privilege
The skill is not always-enabled, has no install spec that writes files, and does not request elevated agent privileges. The included TypeScript stub is designed to run inside an Obsidian plugin (connect as a WS client to a local Rust bridge) and does not attempt to modify other skills or global agent settings. No 'always: true' or other elevated persistence is present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pop-obsidian - After installation, invoke the skill by name or use
/pop-obsidian - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of pop-obsidian: real-time multi-step plugin orchestration for Obsidian via POP protocol.
- Implements 5-phase Plugin Orchestration Protocol (POP) using JSON-RPC over WebSocket.
- Supports pipeline discovery, execution, progress tracking, coherence assessment, and error handling.
- Allows orchestration of complex workflows (e.g., "idea to publish") with step dependencies.
- Integrates with Rust WebSocket bridge and TUI dashboard for real-time monitoring.
- Uses ATOM token authentication with five-strand anyon braid topology.
- Provides extensible protocol for Obsidian plugin integration and automation.
Metadata
Frequently Asked Questions
What is Plugin Orchestration Protocol?
Plugin Orchestration Protocol (POP) for Obsidian integration. Use this skill when the user mentions "POP", "Obsidian plugin", "pipeline orchestration", "idea... It is an AI Agent Skill for Claude Code / OpenClaw, with 267 downloads so far.
How do I install Plugin Orchestration Protocol?
Run "/install pop-obsidian" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Plugin Orchestration Protocol free?
Yes, Plugin Orchestration Protocol is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Plugin Orchestration Protocol support?
Plugin Orchestration Protocol is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Plugin Orchestration Protocol?
It is built and maintained by toolated (@toolate28); the current version is v1.0.0.
More Skills