← 返回 Skills 市场
415
总下载
0
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install openclaw-skill-obsidian-cloudflare-pages
功能描述
Publish selected Obsidian markdown from a vault to a static site and deploy to Cloudflare Pages.
安全使用建议
This skill appears to implement the advertised Obsidian→Cloudflare Pages workflow, but review these items before using it:
- Provide Cloudflare credentials only via a local .env or shell environment; the skill expects CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID but the registry metadata did not declare them — that is a manifest omission. Treat this as intentional: the tool needs a Cloudflare token to deploy.
- The wizard can store a basic-auth password directly into config.json (plaintext) unless you explicitly use env-backed credentials; prefer BASIC_AUTH_USERNAME/PASSWORD in your environment and do not commit config.json.
- The CLI will attempt to read files in your home directory (it tries to detect Obsidian vaults at a macOS path). If you don't want that, run on a controlled machine or edit the script.
- The script can run arbitrary shell commands (rsync, npx quartz, wrangler) and has a fallback that may clear the configured workspace when ALLOW_DESTRUCTIVE=1 is set — only point the workspace to a dedicated path you can safely wipe.
- Use --dry-run / DRY_RUN=1 first to preview actions, inspect bin/publishmd-cf.js for any code you are uncomfortable with, and consider running the workflow on a test subdomain before production.
If these caveats are acceptable and you verify the code, the skill itself is coherent with its purpose; the main issues are the missing manifest declaration for required envs and the potential for accidental plaintext secret storage and destructive workspace operations.
功能分析
Type: OpenClaw Skill
Name: openclaw-skill-obsidian-cloudflare-pages
Version: 1.0.2
The skill is classified as suspicious due to a shell injection vulnerability in the `sh` function within `bin/publishmd-cf.js`, where configuration values (such as project names or branches) are directly interpolated into `execSync` calls without sanitization. The script also performs local data discovery by reading the Obsidian application's internal configuration file (`obsidian.json`) to locate vaults and handles sensitive credentials by writing them into a generated `_middleware.js` file for deployment. While these actions are aligned with the stated purpose of automating Obsidian-to-Cloudflare publishing, the lack of input validation and the handling of secrets represent significant security flaws.
能力评估
Purpose & Capability
Name and description align with the included CLI and code: it syncs markdown, builds with Quartz, and deploys with Wrangler. However the registry metadata does not declare the Cloudflare API credentials the code actually expects (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID), which is an omission in the manifest.
Instruction Scope
SKILL.md and the CLI instruct only the expected publish flow (init, wizard, sync, build, deploy). The CLI also reads files in the user home (detectOpenVaults checks ~/Library/Application Support/obsidian/obsidian.json) to auto-detect vaults, and the wizard can write secrets into config.json (basicAuth.password) if provided — the README warns about this but the functionality exists. The skill runs shell commands (rsync, npx quartz, wrangler) via execSync; these are expected for the task but will execute arbitrary local commands.
Install Mechanism
No install spec or remote downloads; the skill is instruction-only with a bundled Node CLI. Nothing is pulled from arbitrary URLs during install. Users must have Node, npm, rsync, npx, and wrangler installed separately.
Credentials
The skill requires Cloudflare credentials (CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID) and optionally basic auth credentials, but the registry metadata lists no required env vars or primary credential. This mismatch is a manifest omission that makes it harder to audit what secrets the skill needs. The wizard can also persist basic auth passwords into config.json (plaintext) unless the user explicitly uses env-backed credentials, which increases risk of accidental secret leakage.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges. It can clear a workspace directory as part of a fallback setup, but that destructive behavior is gated by the ALLOW_DESTRUCTIVE=1 environment variable and there are explicit guards (assertSafePath) and warnings in the docs. Still, this capability is powerful and must be used only on a dedicated workspace path.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-skill-obsidian-cloudflare-pages - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-skill-obsidian-cloudflare-pages触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Republish verification
v1.0.1
Hardening + docs polish + banner update
元数据
常见问题
OpenClaw Skill: Obsidian Markdown to Cloudflare Pages 是什么?
Publish selected Obsidian markdown from a vault to a static site and deploy to Cloudflare Pages. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 415 次。
如何安装 OpenClaw Skill: Obsidian Markdown to Cloudflare Pages?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-skill-obsidian-cloudflare-pages」即可一键安装,无需额外配置。
OpenClaw Skill: Obsidian Markdown to Cloudflare Pages 是免费的吗?
是的,OpenClaw Skill: Obsidian Markdown to Cloudflare Pages 完全免费(开源免费),可自由下载、安装和使用。
OpenClaw Skill: Obsidian Markdown to Cloudflare Pages 支持哪些平台?
OpenClaw Skill: Obsidian Markdown to Cloudflare Pages 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Skill: Obsidian Markdown to Cloudflare Pages?
由 David O.(@davidyoh)开发并维护,当前版本 v1.0.2。
推荐 Skills