Back to skill
Skillv3.0.1
ClawScan security
Todo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 6:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it implements a local, Python-based todo system that only reads/writes files under ~/.openclaw/workspace/memory/todo and requires no external credentials or network access.
- Guidance
- This skill appears safe and coherent: it runs locally using python3 and stores data under ~/.openclaw/workspace/memory/todo. Before installing, verify you are comfortable with the skill creating and updating files in that path, and optionally inspect the bundled scripts yourself (they are plain Python and contain no network calls). Make backups of any existing ~/.openclaw data you care about. Because the skill is allowed to be invoked by the agent (normal default), consider whether you want the agent to call it autonomously; the skill is not set to always run and does not request credentials or external access.
Review Dimensions
- Purpose & Capability
- okName/description align with the included scripts: capture, scoring, what-next recommendation, daily/weekly workflows, archiving, and local storage initialization. The only runtime dependency (python3) is reasonable and declared in SKILL.md.
- Instruction Scope
- okRuntime instructions and scripts only operate on local files under ~/.openclaw/workspace/memory/todo; they do not reference external endpoints, unrelated system paths, or undeclared environment variables. The actions (add/update/archive/review/score) match the stated purpose.
- Install Mechanism
- okNo install spec is provided (instruction-only). All code is bundled in the skill and there are no download/install steps from remote URLs, package registries, or extract operations.
- Credentials
- okThe skill declares no required environment variables or credentials and the scripts do not read environment secrets. Access is limited to the user's home directory path under ~/.openclaw/workspace/memory/todo.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or global agent settings. It persists only its own data files and metadata in a single directory under the user's home.