ClawHub

OpenTIL

v1.11.0

Capture and manage TIL (Today I Learned) entries on OpenTIL. Use /til <content> to capture, /til to extract insights from conversation, or /til list|publish|edit|search|delete|status|sync|tags|categories|batch to manage entries -- all without leaving the CLI.

0· 914·1 current·1 all-time
by@biao29
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's described purpose (capture and manage TILs on OpenTIL) matches the instructions and API calls in SKILL.md: it uses OpenTIL endpoints, supports publish/edit/delete/sync, and stores local drafts. However, registry metadata lists no required env vars while SKILL.md declares a primaryEnv (OPENTIL_TOKEN) and explicitly requires a Personal Access Token; this metadata mismatch is inconsistent and should be corrected.
Instruction Scope
Runtime instructions are focused on the stated purpose and do not ask the agent to read arbitrary system files. The skill will: read $OPENTIL_TOKEN, read/write ~/.til/credentials, create and list ~/.til/drafts/, open the system browser (open/xdg-open) for device auth, and poll the OAuth device endpoint via shell. It also includes an 'auto-detection' feature that instructs the agent to proactively append TIL suggestions to normal responses — this is functional scope creep (behavioral, not credential access) that you should be aware of.
Install Mechanism
No install spec or code files; this is instruction-only. Nothing is downloaded or written by an installer. Risk from install mechanism is low.
Credentials
The skill legitimately needs an OpenTIL token (read:entries, write:entries, delete:entries) to perform management operations. It will accept a token from $OPENTIL_TOKEN or from ~/.til/credentials and will migrate an old plaintext token into a YAML profile automatically. That write/migration behavior is expected but should be noted because it modifies files under your home directory. No other unrelated credentials or environment variables are requested.
Persistence & Privilege
The skill is not 'always' enabled and does not request elevated system privileges. It will create/read/write files under ~/.til/ (credentials and drafts) and may delete local draft files after a successful sync. Autonomous invocation is allowed by default (normal for skills) and the auto-detection feature will cause the agent to append TIL suggestions to responses when enabled — consider whether you want that proactive behavior.
What to consider before installing
What to check before installing: - Metadata mismatch: the registry entry claims no required env vars but SKILL.md uses a primaryEnv (OPENTIL_TOKEN). Expect to provide an OPENTIL_TOKEN environment variable or allow the skill to create/modify ~/.til/credentials. - Token scope: you will be asked to create a token with read:entries, write:entries, and delete:entries. Only grant scopes you are comfortable with (delete scope allows permanent deletes). - Local file writes: the skill will create and modify ~/.til/credentials and ~/.til/drafts/ and will migrate an old plaintext token into YAML automatically. Back up any existing ~/.til files if you care about them. - OAuth flow: the auth command opens your browser (open/xdg-open) and runs a polling loop to obtain a token — this requires the agent to run shell commands that interact with the system browser. - Proactive suggestions: the auto-detection doc instructs the agent to append TIL suggestions to normal responses. If you don’t want unsolicited suggestions appended to agent outputs, avoid enabling that feature or confirm how/when it runs. If you proceed: create a dedicated token with the minimum necessary scopes, inspect ~/.til after first run, and consider setting OPENTIL_TOKEN in your environment rather than relying on profile migration if you want explicit control. If you need higher assurance, ask the publisher to fix the registry metadata to declare OPENTIL_TOKEN so required permissions are transparent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d36jat07sf976sqr3443c4x81345d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments