ClawHub

TODO Tracker (Safe)

Secure TODO tracker with input validation and safe file operations. Use for task management across sessions.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 44 · 0 current installs · 0 all-time installs
by@GothicFox
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (local TODO tracker) align with what is present: a bash script that reads/writes a TODO.md and uses bash/grep/awk/sed. No unrelated credentials, binaries, or network access are requested.
Instruction Scope
SKILL.md and the script limit actions to local file operations, listing, adding, marking done, and summarizing tasks. The README and SKILL.md claim no env vars except TODO_FILE, but the script also reads HOME to build a default path (normal for local tools). The skill states it may display a summary on heartbeat — that implies autonomous invocation may cause periodic reads of the TODO file, which is consistent with the stated behavior.
Install Mechanism
No install spec; instruction-only with an included script. Nothing is downloaded or written by an installer, so there is no remote install risk.
Credentials
No required environment variables are declared. The script optionally respects TODO_FILE (reasonable). It also uses HOME implicitly to compute the default path — this is typical for a local file-based tool but is a minor mismatch with the SKILL.md phrasing that claimed 'no env var reading except TODO_FILE.'
Persistence & Privilege
always:false and no modifications to other skills or global agent configs. The script writes only to the user-specified (or default) TODO file; it requires an existing writable directory to create the file and will error otherwise.
Assessment
This script is a local, file-based TODO manager and appears to do only safe, text-file operations. Before installing: ensure you are comfortable the default path (~/.openclaw/workspace/TODO.md) is acceptable (or set TODO_FILE), create the containing directory with correct permissions so the script can initialize the file, and be aware the agent may autonomously show the summary (heartbeat) which will read that file. If you want to be extra cautious, review the included scripts/todo.sh yourself — it contains the full implementation and no network/calls to external services were found.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk975gyhqhr2k4d486kkbdr4rjh831kmcsafevk975gyhqhr2k4d486kkbdr4rjh831kmcsecurityvk975gyhqhr2k4d486kkbdr4rjh831kmc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsbash, grep, awk, sed

SKILL.md

📋 TODO Tracker (安全版本)

安全的跨会话任务追踪工具,带有输入验证和安全文件操作。

安全改进

相比原始版本,此版本包含以下安全增强:

  1. 输入验证 - 所有用户输入经过 sanitize_input() 过滤
  2. 固定字符串匹配 - 使用 grep -F 避免正则注入
  3. 文件权限检查 - 验证 TODO 文件权限不过于宽松
  4. 无动态执行 - 不使用 eval 或命令替换执行用户输入
  5. 错误处理 - 使用 set -euo pipefail 严格模式
  6. 长度限制 - 输入限制为 200 字符

用法

# 添加任务
todo.sh add high "完成项目报告"
todo.sh add medium "回复邮件"
todo.sh add low "整理文件"

# 标记完成
todo.sh done "项目报告"

# 删除任务
todo.sh remove "整理文件"

# 列出任务
todo.sh list          # 全部
todo.sh list high     # 高优先级
todo.sh list done     # 已完成

# 摘要(用于 heartbeat)
todo.sh summary

配置

  • TODO_FILE - 自定义 TODO 文件路径(默认:~/.openclaw/workspace/TODO.md

触发条件

当用户说:

  • "添加到 TODO" / "add to TODO"
  • "标记 X 完成" / "mark X done"
  • "TODO 列表" / "TODO list"
  • "还有什么任务" / "what's on the TODO"
  • 心跳时自动显示摘要

安全审计

  • ✅ 无外部 API 调用
  • ✅ 无网络请求
  • ✅ 无环境变量读取(除 TODO_FILE)
  • ✅ 无动态代码执行
  • ✅ 输入经过严格过滤
  • ✅ 文件操作有权限检查

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…