Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Todozi - Your Ai Task Manager
v1.0.0Todozi Eisenhower matrix API client + LangChain tools. Create matrices, tasks, goals, notes; list/search/update; bulk operations; webhooks. Categories: do, done, dream, delegate, defer, dont.
⭐ 0· 1.8k·2 current·2 all-time
by@bgengs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement a Todozi API client and LangChain tools consistent with the description (create/list/update tasks, matrices, webhooks). However the registry metadata declares no required env vars or primary credential even though both the README and code expect TODOZI_API_KEY (and optionally TODOZI_BASE). Also the code imports substantial libraries (langchain, langgraph, httpx) that aren't declared in metadata.
Instruction Scope
Runtime instructions stay within the stated purpose: calling the Todozi API, listing/creating tasks, and exposing LangChain tools. They do include flows that register an API key and create webhooks (which will send data to arbitrary webhook URLs you supply). There is no instruction to read unrelated system files or hidden env vars, but webhook registration can cause the service to POST user data to external endpoints you configure.
Install Mechanism
There is no install spec (instruction-only skill with a bundled Python file). That lowers installer risk, but the code depends on third-party Python packages (httpx, langchain, langgraph) with no declared dependency list or install instructions in the registry. This mismatch may cause unexpected runtime failures or lead integrators to install dependencies from unknown sources manually.
Credentials
The skill requires an API key (TODOZI_API_KEY) and optionally TODOZI_BASE, but the registry lists no required environment variables or primary credential. Requesting/providing an API key is proportionate to the task, but the omission from metadata is an incoherence that could mislead users about what secrets the skill needs. Additionally, the register/webhook endpoints can yield an API key and cause the service to send data to external URLs — this should be considered sensitive.
Persistence & Privilege
always:false and default invocation settings mean the skill is not forced into every agent run. The skill exposes LangChain tools that allow the agent to act on your Todozi data (create/update/delete). This is expected for a task-manager integration, but it increases the impact if the skill is misused, so be cautious when granting autonomous invocation.
What to consider before installing
This skill's code and docs match the stated purpose (a Todozi API client and LangChain tools), but the registry metadata is incomplete: it doesn't declare the TODOZI_API_KEY (and dependency list) that the SKILL.md and code expect. Before installing, verify the source/trustworthiness of todozi.com and the skill author. Do not supply real API keys unless you trust the service; consider creating a limited/test API key. Be careful when registering webhooks — any webhook URL you provide will receive event payloads (potentially exposing task data). Ask the publisher to update the registry metadata to list required env vars (TODOZI_API_KEY, TODOZI_BASE optional) and Python dependencies (e.g., httpx, langchain, langgraph). If you proceed, run the skill in a restricted environment or review the full code for any additional network calls and audit webhook targets.Like a lobster shell, security has layers — review code before you run it.
ai collaborationvk977ene8bqdg8wtgvtq0vb0yxn80478hcross platformvk977ene8bqdg8wtgvtq0vb0yxn80478hgoalsvk977ene8bqdg8wtgvtq0vb0yxn80478hlatestvk977ene8bqdg8wtgvtq0vb0yxn80478htasksvk977ene8bqdg8wtgvtq0vb0yxn80478htodozi.comvk977ene8bqdg8wtgvtq0vb0yxn80478h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.