ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

taskleef

v1.0.1

Use when managing todos, tasks, projects, or kanban boards via Taskleef.com. Supports adding, listing, completing, deleting todos, organizing with projects, and managing kanban boards. Use when the user wants to track tasks, manage their todo list, organize work by projects, or use kanban workflows.

0· 1.9k·0 current·0 all-time
by@xatter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (todo, curl, jq), and required env var (TASKLEEF_API_KEY) all align with a CLI-based integration for Taskleef.com. The only minor metadata mismatch is that registry metadata lists no homepage while the SKILL.md includes https://taskleef.com, but this does not affect capability alignment.
Instruction Scope
SKILL.md instructs the agent to call the todo CLI and describes CLI flags and expected behavior. It does not instruct reading unrelated files or environment variables beyond TASKLEEF_API_KEY, and only mentions an optional auth file (~/.taskleef.auth) which is reasonable for storing credentials.
Install Mechanism
The install spec will download a single 'todo' executable from raw.githubusercontent.com (Xatter/taskleef) and provides jq via Homebrew or GitHub releases. Downloads come from GitHub hosts (known/common) rather than unknown personal servers, but installing an executable fetched from a raw GitHub URL is a higher-risk operation than using a vetted package — users should review the binary/script before making it executable.
Credentials
Only TASKLEEF_API_KEY is required and declared as the primary credential; that matches the stated purpose. The skill suggests an optional auth file and storing an API key in the agent config, which are reasonable. No unrelated credentials or excessive environment access are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills' configs or system-wide settings beyond suggesting where to store an API key in the user's Clawdbot config (normal for skill configuration).
Assessment
This skill appears coherent for managing Taskleef todos, but take these precautions before installing: - Verify that https://taskleef.com is the legitimate service you expect. - Inspect the 'todo' file the installer downloads from raw.githubusercontent.com before running chmod +x; raw GitHub content can be arbitrary code. Prefer installing from an official release repository or building from source when possible. - Keep TASKLEEF_API_KEY secret: store it in the agent config or an auth file with restrictive permissions (e.g., chmod 600), and do not commit it into dotfiles or public repos. - Expect the todo CLI to make network requests to Taskleef APIs (normal for this skill); if you need tighter control, run the CLI in a constrained environment or review network activity. If you want extra assurance, ask the skill author for an official release URL or published package and for the source repository for the todo CLI so you can review it before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9787vjetvweek2v89hnktge2x800r48

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binstodo, curl, jq
EnvTASKLEEF_API_KEY
Primary envTASKLEEF_API_KEY

Install

Install jq via Homebrew
Bins: jq
brew install jq

Comments