← 返回 Skills 市场
267
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pop-obsidian
功能描述
Plugin Orchestration Protocol (POP) for Obsidian integration. Use this skill when the user mentions "POP", "Obsidian plugin", "pipeline orchestration", "idea...
安全使用建议
Before installing or enabling this skill, get concrete answers to these questions: 1) Where and how is the ATOM token generated and stored? The manifest shows $ATOM_TOKEN_RESONANCE in pipeline payloads but the skill metadata declares no required env vars — do not provide any sensitive environment variables until you confirm what exactly will be sent and to whom. 2) Which external binaries/services must be installed on the host (AutoFigure, Pandoc, Rust bridge), and can you review those repositories and their network behavior? 3) What happens when ai_expand falls back to 'Claude API' — what endpoint, what data is sent, and is that acceptable for your vault contents? 4) Where does the 'publish' step actually post content (URL/host)? Ensure it is an explicit, reviewed endpoint. 5) If you must use this skill, restrict which environment variables the orchestrator may access, run the Rust bridge locally behind a firewall, and avoid supplying secrets or high-privilege tokens until the implementation and endpoints are audited. If the publisher can provide the Rust bridge source and the Obsidian plugin code (or a vetted build), review those to confirm no external endpoints are hard-coded and that environment-variable substitution is safe.
功能分析
Type: OpenClaw Skill
Name: pop-obsidian
Version: 1.0.0
The skill implements a complex JSON-RPC orchestration protocol (POP) for Obsidian via a local WebSocket bridge (ws://127.0.0.1:8088). A significant security concern is the protocol's explicit support for accessing system environment variables via '$ENV_VAR' syntax (defined in protocol-spec.md), which provides a direct path for data exfiltration if the agent is misdirected. While the bundle's stated purpose is document and research automation, the combination of environment variable access, local network communication, and the requirement for external tool execution (e.g., 'autofigure' via pip) creates a high-risk surface without clear evidence of intentional malice.
能力评估
Purpose & Capability
The skill's stated purpose (orchestrating multi-step pipelines in Obsidian via a local WebSocket bridge) matches the instructions and reference files: discovery, execution, step reporting and coherence checks are all described and the included plugin catalog and protocol spec align with that purpose. However, the protocol and templates reference required tools and tokens (ATOM token, AutoFigure, Pandoc, Claude API fallback) that are not declared in the skill metadata (no required env vars, no required binaries). This mismatch is noteworthy but could be explained by the skill assuming the host already provides these components.
Instruction Scope
SKILL.md and protocol-spec permit pipelines to reference environment variables via $ENV_VAR syntax and show $ATOM_TOKEN_RESONANCE used in payloads, but the skill does not declare any required env vars. The plugin-catalog explicitly says ai_expand may 'fall back to Claude API directly if no plugin is installed' — that means vault content could be sent to external third-party APIs. Pipeline steps include create/delete/update note operations and publishing steps (including an unspecified 'publish' to a platform using ATOM auth). The instructions therefore allow (and in places instruct) reading and transmitting potentially sensitive vault content and environment variables to other processes or networks; this scope is broader than the simple 'Obsidian plugin orchestration' label might suggest.
Install Mechanism
This is an instruction-only skill (no install spec) which is lower friction, but the reference docs require external components (e.g., 'Requires: pip install autofigure' for figure generation; Pandoc binary for export_docx) and a Rust WebSocket bridge. Those requirements are not documented in the metadata or enforced by an install step, creating an incoherence: the skill depends on host-side binaries and services that the installer may not know to install. Absence of install instructions makes it easy to miss these dependencies and increases risk if operators install unspecified third-party tools later without review.
Credentials
The protocol relies on an ATOM token (ATOM_TOKEN_RESONANCE) included in EXECUTE_PIPELINE messages and allows arbitrary $ENV_VAR substitution in step params, but the skill declares no required environment variables. That gap is important: pipelines can embed environment values into messages that will be dispatched to the bridge and possibly to external services (e.g., LLM fallback or publish steps). This gives potential for accidental or intentional exfiltration of secrets if an agent substitutes sensitive env vars into pipeline params. The skill also references conservation/NEAR verification and other cross-service artifacts that may require secrets or keys, yet none are declared.
Persistence & Privilege
The skill is not always-enabled, has no install spec that writes files, and does not request elevated agent privileges. The included TypeScript stub is designed to run inside an Obsidian plugin (connect as a WS client to a local Rust bridge) and does not attempt to modify other skills or global agent settings. No 'always: true' or other elevated persistence is present.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pop-obsidian - 安装完成后,直接呼叫该 Skill 的名称或使用
/pop-obsidian触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of pop-obsidian: real-time multi-step plugin orchestration for Obsidian via POP protocol.
- Implements 5-phase Plugin Orchestration Protocol (POP) using JSON-RPC over WebSocket.
- Supports pipeline discovery, execution, progress tracking, coherence assessment, and error handling.
- Allows orchestration of complex workflows (e.g., "idea to publish") with step dependencies.
- Integrates with Rust WebSocket bridge and TUI dashboard for real-time monitoring.
- Uses ATOM token authentication with five-strand anyon braid topology.
- Provides extensible protocol for Obsidian plugin integration and automation.
元数据
常见问题
Plugin Orchestration Protocol 是什么?
Plugin Orchestration Protocol (POP) for Obsidian integration. Use this skill when the user mentions "POP", "Obsidian plugin", "pipeline orchestration", "idea... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 267 次。
如何安装 Plugin Orchestration Protocol?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pop-obsidian」即可一键安装,无需额外配置。
Plugin Orchestration Protocol 是免费的吗?
是的,Plugin Orchestration Protocol 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Plugin Orchestration Protocol 支持哪些平台?
Plugin Orchestration Protocol 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Plugin Orchestration Protocol?
由 toolated(@toolate28)开发并维护,当前版本 v1.0.0。
推荐 Skills