tududi
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tududi Version: 1.0.1 The skill is designed to interact with a self-hosted task manager (`tududi`) using a user-provided URL and API token. All `curl` commands in `SKILL.md` are directed to the configured `$TUDUDI_URL` and use the `$TUDUDI_API_TOKEN` for authentication, which is consistent with the stated purpose. There is no evidence of data exfiltration to external, unrelated endpoints, malicious execution, persistence mechanisms, or prompt injection attempts to subvert the agent's intended behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill should know the agent can act through the configured tududi API token.
The skill requires a bearer token for the user's tududi instance. This is expected for the integration, but it gives the agent delegated access to the user's task-management account.
`TUDUDI_API_TOKEN` - API token from tududi Settings → API Tokens
Use a token intended for automation if tududi supports it, store it securely in the skill environment, and revoke it if the skill is no longer needed.
The agent could create, update, archive, or delete tasks and inbox items in the configured tududi instance.
The skill documents direct API calls, including deletion of tasks and inbox items. These operations are aligned with task management, but they can permanently change user data if invoked incorrectly.
curl -s -X DELETE $TUDUDI_URL/api/v1/task/{uid} \
-H "Authorization: Bearer $TUDUDI_API_TOKEN"Review requested task changes before allowing delete or bulk-update actions, and keep backups or recovery options for important task data.
A user may not realize from the registry metadata alone that setup requires a tududi URL and API token.
The registry metadata does not declare the environment variables and API token that SKILL.md says are needed. This is a metadata completeness issue rather than evidence of hidden behavior.
Required env vars: none; Primary credential: none
Confirm the skill configuration includes only the intended TUDUDI_URL and TUDUDI_API_TOKEN for the tududi instance you want the agent to manage.