ClawHub

4todo

v0.1.3

Manage 4todo (4to.do) from chat. Capture tasks, prioritize with the Eisenhower Matrix, reorder, complete, and manage recurring tasks across workspaces.

3· 2.4k·3 current·3 all-time
by@blackstorm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill clearly intends to manage 4to.do via its API (workspaces, todos, recurring todos). The SKILL.md requires an API token (FOURTODO_API_TOKEN) and use of curl, which are proportionate to that purpose. However, the registry metadata lists no required environment variables or required binaries — a mismatch between what the skill says it needs at runtime and what the registry declares.
Instruction Scope
The SKILL.md instructs only to call the 4to.do API over HTTPS and to store/use the API token via OpenClaw environment injection or Docker env for sandboxed sessions. It does not ask the agent to read unrelated system files, exfiltrate data to third parties, or run arbitrary code. It does instruct edits to OpenClaw config files (~/.openclaw/openclaw.json) and Docker agent config when setting the token — this is expected for injecting credentials but is a change to user config that the user should consent to.
Install Mechanism
No install spec and no code files (instruction-only), so nothing is downloaded or written by an installer. This minimizes install-time risk.
!
Credentials
SKILL.md requires a single bearer token (FOURTODO_API_TOKEN) — appropriate and limited. However, the skill also requires curl on PATH; neither the required env var nor the binary requirement is declared in the registry metadata. The metadata omission is an incoherence that could cause accidental token exposure or runtime failures if the operator isn't warned.
Persistence & Privilege
The skill does not request always:true, does not attempt to modify other skills, and uses normal OpenClaw mechanisms for per-run env injection or host config entries. The fact it suggests enabling itself in ~/.openclaw/openclaw.json is expected behavior for host runs but will write to a user config file — users should review such changes before applying them.
What to consider before installing
This skill appears to do what it claims (talk to the 4to.do API), but the registry metadata doesn't list the runtime requirements the SKILL.md documents. Before installing: (1) confirm you are comfortable adding a FOURTODO_API_TOKEN to your OpenClaw host config or Docker env (do not paste tokens into chat); (2) ensure curl is available in the environment where the agent will run; (3) ask the skill author or registry maintainer to update the package metadata to declare FOURTODO_API_TOKEN and the curl dependency so the platform can warn you; (4) if you enable the skill in your host OpenClaw config, back up ~/.openclaw/openclaw.json and prefer injecting the token from your hosting provider's secret store rather than hardcoding it in the file.

Like a lobster shell, security has layers — review code before you run it.

latestvk97efp56mf4r0v3akn8g24vfn180q0sp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments