weeek-tasks
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it says—manage WEEEK tasks—but it uses a WEEEK API token and can change tasks, so users should confirm they want that access.
Install this only if you want the agent to access WEEEK through your API token. Protect WEEEK_TOKEN, prefer a limited-scope token if WEEEK supports it, and confirm any task-changing actions such as create, update, complete, or move.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong task ID or parameters, the agent could modify WEEEK tasks incorrectly.
The script can update, complete, and move WEEEK tasks through API calls. This is consistent with the skill purpose, but it can change the user's task data.
request("PUT", f"/tm/tasks/{args.id}", body=body) ... request("POST", f"/tm/tasks/{args.id}/complete") ... request("POST", f"/tm/tasks/{args.id}/board", body=body)Use the mutation commands only for intended tasks, and ask for user confirmation before creating, updating, completing, or moving tasks.
Anyone or any agent process with access to the token may be able to access or modify WEEEK tasks permitted by that token.
The script requires a WEEEK bearer token and sends it to the WEEEK Public API. This is expected for the integration, but the token grants account-level access to read and change task data.
token = os.environ.get("WEEEK_TOKEN") ... "Authorization": f"Bearer {token}"Use a least-privilege WEEEK token if available, keep it in a protected environment variable, and declare WEEEK_TOKEN in the skill metadata for clearer installation expectations.