4todo
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: 4todo Version: 0.1.3 The skill is designed to manage 4todo (4to.do) tasks via its API using `curl`. All instructions in `SKILL.md` and `references/api_v0.md` consistently direct API calls to `https://4to.do/api/v0`. The skill explicitly instructs the agent on secure handling of the `FOURTODO_API_TOKEN` environment variable, advising against pasting secrets into prompts or logs, which is a strong indicator of security-conscious design. There is no evidence of data exfiltration, malicious execution (e.g., `curl|bash`), persistence mechanisms, or prompt injection attempts to subvert the agent's core purpose or access unrelated sensitive data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent run with this token can access the permitted 4todo API actions, including listing and changing tasks.
The skill requires a bearer token that grants access to the user's 4todo account. This is expected for the integration, but it is sensitive authority.
`FOURTODO_API_TOKEN`: your 4todo API token (Bearer token) ... Every request must include `Authorization: Bearer <token>`.
Use the narrowest token 4todo supports, inject it through a secret store or environment variable, avoid pasting it into chat, and revoke it if the skill is no longer needed.
A mistaken workspace or task choice could create, complete, move, or alter recurring task behavior in the user's 4todo account.
The skill is intended to issue API mutations that create, complete, reorder, or manage recurring todos. This is purpose-aligned, but it can change user data.
Perform the requested mutation (create / complete / reorder / recurring)
Review task and workspace names before approving changes, and ask for confirmation before broad, ambiguous, or recurring-task updates.
Users may not realize from the registry metadata alone that the skill needs curl and a 4todo API token.
The registry metadata does not declare the curl runtime dependency or the API-token credential that SKILL.md requires. The SKILL.md does disclose them, so this is a metadata completeness issue rather than hidden behavior.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Declare curl and FOURTODO_API_TOKEN in the registry metadata so users see the requirements before installation.