ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Plutio

v1.0.1

Manage Plutio projects and tasks. Use when you need to create, update, close, or query tasks and projects in Plutio (task/project management platform). Suppo...

0· 350·0 current·0 all-time
by@grewingm
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description, SKILL.md, references, and the included Python CLI all consistently implement a Plutio project/task management client — that aligns with the stated purpose. However, the registry metadata declares no required environment variables or primary credential while the code and docs clearly require a Plutio App Key (client id) and Secret (client secret) to operate. That metadata omission is an incoherence: the skill will not function without credentials yet does not declare them in the registry.
Instruction Scope
Runtime instructions and examples are narrowly scoped to Plutio API actions (list/create/update/close tasks, list people, etc.). The skill caches OAuth tokens locally (~1 hour) and the docs instruct how to configure credentials via environment variables, Bitwarden, or OpenClaw auto-configuration. Example workflows show optional integrations (e.g., sending Matrix notifications) and scheduling via Task Scheduler; those are user-driven and outside the core API client but are clearly documented. There is no instruction to read unrelated system files or exfiltrate data, but some examples show storing credentials in scheduled scripts or shell profiles which can be insecure if the user follows them blindly.
Install Mechanism
This is instruction-only plus a single Python script; there is no install spec that downloads remote code. The script expects Python3 and the requests library but does not attempt to install arbitrary third-party packages from unknown URLs. No high-risk download/extract steps are present.
!
Credentials
The skill needs sensitive credentials (Plutio App Key / Client Secret) to operate — the SKILL.md and setup docs explicitly show environment variables and CLI arguments for these secrets. Yet the skill metadata lists no required env vars or primary credential. Additionally, some documented configuration options (adding creds to shell profile, Windows scheduled task scripts) encourage storing secrets in plain text; the docs do recommend Bitwarden as most secure, but the presence of insecure examples increases risk if users follow them.
Persistence & Privilege
The skill does create a local token cache under ~/.config/plutio/token.json and restricts permissions (chmod 600) in the code. always:false and no cross-skill config modifications are present. There is no claim of persistent system-wide privileges beyond the token cache and normal file writes within the user's home directory.
What to consider before installing
This skill appears to be a real Plutio API client (code + docs match the stated purpose), but there is a clear metadata omission: the registry doesn't declare the required Plutio credentials even though the code and docs require them. Before installing: - Treat the skill as requiring your Plutio App Key/Client Secret; only provide those to this skill if you trust the source/author. The package owner is unknown — verify the origin. - Prefer the documented secure options (Bitwarden or OS credential manager) rather than adding credentials to shell profiles, scheduled-task scripts, or plain-text files. - Inspect the included script (scripts/plutio-cli.py) yourself (it is present) or run it in a sandboxed environment first. The script caches tokens to ~/.config/plutio/token.json; ensure you are comfortable with that path and its permissions. - Confirm network endpoints: the code uses api.plutio.com OAuth and API endpoints (expected). If you observe different remote endpoints in the code, do not proceed. - Ensure Python3 and the requests library are available in the runtime; the script does not include dependency installation steps. - If you need stronger assurance, request the publisher to update registry metadata to declare required env vars (PLUTIO_APP_KEY, PLUTIO_SECRET, PLUTIO_SUBDOMAIN) and provide provenance for the skill (homepage, owner identity) or run a code review/audit prior to granting credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk970bh431qmyzwznqt6kpq0ge5823n9t
350downloads
0stars
2versions
Updated 8h ago
v1.0.1
MIT-0
@grewingm
latest
Download

Plutio Skill

Integrate with Plutio for project and task management via REST API.

Platforms: Works with Linux/macOS (bash) and Windows (PowerShell 7). See references/powershell-workflows.md for PowerShell-specific examples.

Setup

Complete setup guide: See references/setup-guide.md for:

  • How to get API credentials from Plutio
  • Configuring via OpenClaw chat (recommended)
  • Command-line setup for Linux, macOS, and Windows
  • Secure credential storage (Bitwarden, environment variables)
  • Troubleshooting common issues

Quick summary:

  1. Get credentials from Plutio (Settings > API > Create Application)
  2. Ask OpenClaw to configure (easiest): "Setup Plutio with Client ID: XXX and Secret: YYY"
  3. Or set environment variables:
    • Linux/macOS: export PLUTIO_APP_KEY="..."
    • Windows PowerShell: $env:PLUTIO_APP_KEY = "..."
  4. Python 3 must be installed

The skill caches access tokens locally (valid for ~1 hour), then automatically refreshes when needed.

Quick Start

List all projects

python3 $env:USERPROFILE\.openclaw\workspace\skills\plutio\scripts\plutio-cli.py `
  --subdomain grewing `
  --app-key YOUR_APP_KEY `
  --secret YOUR_SECRET `
  list-projects

List tasks in a project

python3 $env:USERPROFILE\.openclaw\workspace\skills\plutio\scripts\plutio-cli.py `
  --subdomain grewing `
  --app-key YOUR_APP_KEY `
  --secret YOUR_SECRET `
  list-tasks --project-id PROJECT_ID

Create a task

python3 $env:USERPROFILE\.openclaw\workspace\skills\plutio\scripts\plutio-cli.py `
  --subdomain grewing `
  --app-key YOUR_APP_KEY `
  --secret YOUR_SECRET `
  create-task `
    --title "My Task Title" `
    --board-id BOARD_ID `
    --group-id GROUP_ID

Note: To make tasks appear in the Plutio UI, you must provide both --board-id (Task List board ID) and --group-id (column/group ID like Backlog, In Progress, Done).

List people (team members)

python3 $env:USERPROFILE\.openclaw\workspace\skills\plutio\scripts\plutio-cli.py `
  --subdomain grewing `
  --app-key YOUR_APP_KEY `
  --secret YOUR_SECRET `
  list-people

Common Operations

Create a task with all fields

python3 $env:USERPROFILE\.openclaw\workspace\skills\plutio\scripts\plutio-cli.py create-task `
  --subdomain grewing `
  --project-id PROJECT_ID `
  --title "Task Title" `
  --description "Detailed description" `
  --priority "high" `
  --status "open" `
  --assignee-id PERSON_ID `
  --due-date "2026-03-15" `
  --app-key YOUR_APP_KEY `
  --secret YOUR_SECRET

Supported fields when creating/updating tasks:

  • title - Task name
  • description - Task details
  • status - open, in_progress, closed, or custom status name
  • priority - low, medium, high, urgent
  • assignee-id - Person ID to assign task to
  • due-date - ISO format (YYYY-MM-DD)
  • label-ids - Comma-separated label IDs
  • custom-fields - JSON string with custom field values

Close a task

python3 $env:USERPROFILE\.openclaw\workspace\skills\plutio\scripts\plutio-cli.py update-task `
  --subdomain grewing `
  --task-id TASK_ID `
  --status "closed" `
  --app-key YOUR_APP_KEY `
  --secret YOUR_SECRET

API Reference

See references/api-endpoints.md for:

  • Full endpoint documentation
  • Response schemas
  • Field descriptions
  • Rate limits and pagination

How It Works

  1. Authentication: Exchanges app key + secret for temporary access token
  2. API Calls: Uses token for authenticated requests to Plutio REST API
  3. Token Caching: Stores token locally for faster subsequent calls
  4. Error Handling: Reports API errors clearly with troubleshooting hints

Important Notes on Plutio v1.11 API

Supported Operations:

  • ✅ List projects
  • ✅ List tasks (all tasks in workspace or by board)
  • ✅ Create tasks (with board and group IDs)
  • ✅ List people/team members

Key Requirements for v1.11:

  • Tasks need both taskBoardId AND taskGroupId to appear in the Plutio UI
  • Tasks without these parameters are created but remain hidden from the interface
  • Get your board and group IDs from the Plutio project's Task List

Known Limitations (v1.11):

  • projectId parameter doesn't work - use taskBoardId instead
  • Task creation supports: title, board ID, group ID only
  • Other fields (status, priority, description) are not supported in the create endpoint
  • Task updates via API have permission restrictions (use Plutio UI)
  • To add details to tasks, edit them directly in Plutio UI
  • Contact Plutio support for advanced field support

Troubleshooting

"Unauthorized" error:

  • Verify Client ID and Secret are copied exactly from Plutio Settings > API manager
  • Check that the API application is created and visible in your API manager
  • Ensure you're using v1.11 or later

"Project not found": Verify project ID with list-projects

"Rate limited": Plutio has 1000 calls/hour limit. Wait before retrying.

Tasks not appearing in results: Check the Plutio UI directly - the API may have caching delays.

Integration Examples

For PowerShell Users

Complete PowerShell 7 workflows and examples: See references/powershell-workflows.md for:

  • Daily task briefings
  • Batch task operations
  • Integration with Windows Task Scheduler
  • Error handling patterns

For OpenClaw Integration

In OpenClaw, you could create a script that:

  1. Checks calendar for upcoming deadline
  2. Queries Plutio for tasks due that day
  3. Sends reminder via Matrix

See the scripts/ folder and references/ for implementation examples.

Last updated: 2026-03-01

Comments

Loading comments...