ClawHub

tududi

v1.0.1

Manage tasks, projects, and notes in tududi (self-hosted task manager). Use for todo lists, task management, project organization.

0· 1.3k·0 current·0 all-time
by@chrisvel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (self-hosted tududi task manager) match the runtime instructions: curl-based calls to a user-provided TUDUDI_URL using an API token. The described capabilities are consistent with a simple API wrapper.
!
Instruction Scope
SKILL.md instructs the agent to call the tududi API and to read environment variables (TUDUDI_URL, TUDUDI_API_TOKEN) from openclaw.json; it does not instruct any broad data collection or unrelated file reads. However, the instructions rely on environment variables that the skill manifest did not declare, which is an inconsistency that affects trust and runtime behavior.
Install Mechanism
No install spec and no code files — instruction-only skill. This is low-risk from an install perspective because nothing is downloaded or written to disk by the skill package itself.
!
Credentials
The SKILL.md requires an API token (TUDUDI_API_TOKEN) and a base URL (TUDUDI_URL), which are proportionate to the stated purpose. However, the registry metadata lists no required environment variables or primary credential, so the manifest underreports the sensitive data the skill needs. That mismatch is a red flag: a token is required at runtime but not declared in the skill metadata.
Persistence & Privilege
The skill does not request persistent/always-on inclusion (always: false) and does not request elevated platform privileges. Autonomous invocation is allowed by default but is not combined with other privilege/always flags here.
What to consider before installing
This skill appears to be a simple tududi API helper, but its SKILL.md requires two environment variables (TUDUDI_URL and TUDUDI_API_TOKEN) that the registry metadata does not declare. Before installing: (1) ask the publisher to update the manifest to list required env variables and mark the API token as the primary credential; (2) only provide a scoped API token (least privilege) and point TUDUDI_URL to a trusted/self-hosted endpoint (prefer HTTPS); (3) avoid putting long-lived high-privilege tokens in a shared openclaw.json unless you trust the skill and host; (4) verify the skill behavior in a safe environment first. If the publisher cannot justify the missing manifest entries, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk977028ntweeq26p1k455m7bnh80s6r9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments