Command-line tool to manage Wiki.js content, pages, assets, templates, and backups via its GraphQL API with search, update, sync, and analysis functions.
Security Analysis
medium confidenceThe code and instructions mostly match a Wiki.js CLI, but some metadata omissions and a missing declared config path (where a Wiki.js API token lives) are inconsistent and worth investigating before installing.
The package files, SKILL.md, and code implement a Wiki.js GraphQL CLI (list/create/update/delete, assets, backup/sync, etc.), which is coherent with the skill name. However the skill metadata provided no description/homepage while package.json claims a GitHub homepage — a minor mismatch in source metadata.
SKILL.md explicitly instructs installing via npm, creating a config at ~/.config/wikijs.json with url and apiToken, and using commands. Runtime instructions and code operate on that config and the Wiki.js API only; there are no instructions to read unrelated system files or send data to unexpected endpoints.
There is no platform install spec, but the repo includes package.json and SKILL.md instructs `npm install && npm link`. That is consistent with a JS CLI distributed via source. This is moderately risky compared to an instruction-only skill with no code, because running npm install pulls third-party packages onto disk — review dependencies before installing.
Registry metadata declared no required config paths or credentials, but the code requires and reads a config file at ~/.config/wikijs.json that must contain the Wiki.js url and an apiToken. The CLI will also write cache (~/.cache/wikijs-cli) and may write backups to configured paths. The missing declaration of the config path / secret is an inconsistency that affects security decisions: the skill will have access to an API token stored on disk that was not declared in metadata.
The skill does not request always:true and does not modify other skills or system settings. It does write cache files and can create backups in configured directories (per SKILL.md and code), which is expected for a CLI but means it will persist data on the host filesystem under user-owned paths.
Guidance
This package appears to be a genuine Wiki.js CLI: it expects a config file at ~/.config/wikijs.json containing your wiki URL and an API token and will use that token to call your Wiki.js instance. Before installing or supplying credentials, do the following: 1) Verify the upstream source — the registry metadata lacks a homepage but package.json points to a GitHub repo; confirm that repo and maintainer are trustworthy. 2) Inspect package.json and node dependencies (npm install will fetch them). 3) Review the config file contents you will place at ~/.config/wikijs.json and ensure the API token has minimal permissions needed (avoid using a full-admin token if possible). 4) Be aware the CLI will create cache (~/.cache/wikijs-cli) and may write backups to configured directories — pick safe locations. 5) If you need stronger isolation, run npm install and the CLI in a disposable environment/container or on a machine account with limited privileges. The main inconsistency is that the skill metadata did not declare the required config path/credential; if that matters for your risk posture, ask the publisher to update metadata or provide a signed, canonical upstream release link before installing.
Latest Release
v1.4.0
Wiki.js Skill v1.4.0 adds a comprehensive CLI for managing Wiki.js via the GraphQL API. - Introduces over 40 CLI commands for reading, writing, tagging, backup, versioning, and analysis of wiki content. - Adds bulk operations, asset management, templates, spellcheck, link checking, markdown linting, and duplicate/orphan page detection. - Supports page hierarchy display, content replacement, page cloning, and interactive shell or watch modes. - Includes extensive configuration options for API access, output formats, rate limiting, color, debugging, and confirmations. - Offers detailed examples and integration notes for streamlined scripting and automation.
More by @hopyky
Published by @hopyky on ClawHub
