ClawHub

Flatnotes + Tasks.md GitHub Audit

v1.0.0

Thoroughly audit Tasks.md + Flatnotes for drift and accuracy; use GitHub (gh CLI) as source of truth to detect stale notes/cards and missing links. Produces a report and an optional fix plan.

2· 1.5k·2 current·2 all-time
by@branexp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The declared purpose (audit Tasks.md + Flatnotes using GitHub as source of truth) matches what the script does: it reads local Flatnotes and Tasks folders, parses a project registry, and calls the gh CLI to reconcile PRs. Small inconsistency: the registry metadata lists no required binaries, but the runtime expects Node (to run the .mjs) and the gh CLI; SKILL.md mentions gh behavior but the manifest does not declare these as required.
Instruction Scope
Instructions and code are narrowly scoped to auditing: they read files under the configured Tasks.md and Flatnotes roots, parse content, and optionally create limited Flatnotes files when asked. There are no instructions to read unrelated system config, environment secrets, or to send arbitrary data to external endpoints. GitHub access is via the local gh CLI, which will use the user's existing gh authentication if present.
Install Mechanism
No install spec is present (instruction + bundled script only). No downloads or external installers are executed by the skill. The included script is plain JavaScript (no obfuscation) and will run under Node when invoked.
Credentials
The skill requests no credentials or special env vars in the manifest and only uses two optional env vars (TASKS_ROOT, FLATNOTES_ROOT) to override defaults. It does rely on the user having gh configured for GitHub checks, but it does not demand tokens itself. The main proportionality note is the manifest not declaring 'gh' / 'node' as required binaries.
Persistence & Privilege
The skill does not request persistent presence (always:false). It writes report outputs to a tmp directory and may create new Flatnotes files only when explicitly asked; SKILL.md includes guardrails to ask before destructive actions.
Assessment
This skill appears to do what it claims: it reads your Tasks.md and Flatnotes data and uses the local gh CLI to compare PRs. Before installing/running: 1) Verify you are comfortable that the script will read files under the default paths (/home/ds/...) or set TASKS_ROOT/FLATNOTES_ROOT to point to the correct locations. 2) Ensure Node and the gh CLI are available and that you understand gh will use your existing GitHub authentication (the skill does not request tokens itself). 3) Run it in report-only mode first (no auto-fixes) and review tmp/flatnotes-tasksmd-audit.{md,json}. 4) If you allow auto-fixes, back up Flatnotes/Tasks.md first and review which auto-fixes the tool will perform (it claims to only create missing notes, add ADR links, move specific cards, and add missing pointers; it should ask before renames/deletes). 5) If you want to be extra cautious, inspect scripts/audit.mjs yourself or run it in a non-production copy of your data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711vtc0vdz2s35231nhgkm3s80n9rg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments