Moltbot Plugin 2do
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated task-to-2Do purpose, but its launcher can fall back to running an undeclared npm-based TypeScript runner at runtime while SMTP credentials are present.
Review the install/build path before enabling this skill. Prefer a prebuilt version with locked dependencies, remove or pin the `npx tsx` fallback, and use a dedicated SMTP app password. Once installed safely, the core 2Do email behavior appears purpose-aligned.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A task request may cause extra, undeclared runtime code to be fetched or executed before sending email, increasing supply-chain exposure.
If the compiled build is missing, the launcher runs `tsx` through `npx` at task-send time. `tsx` is not declared as a package dependency in the provided package.json, and this fallback would execute additional npm-sourced code in the same environment as SMTP credentials.
if [ -f "$PROJECT_DIR/dist/main.js" ]; then
node "$PROJECT_DIR/dist/main.js" "$@"
else
npx --prefix "$PROJECT_DIR" tsx "$PROJECT_DIR/src/main.ts" "$@"
fiInstall/build the skill ahead of time with pinned dependencies, include the compiled `dist/main.js`, or declare and lock the runtime TypeScript runner instead of relying on `npx` fallback.
If user text is interpolated into a shell command unsafely, special characters in a task title could alter the command or cause failures.
The skill is intended to pass raw user text into a shell command. The script itself parses arguments rather than evaluating them, but the invoking agent still needs to shell-escape the raw message correctly.
Pass the user's raw message... bash {baseDir}/scripts/send-task.sh --raw "USER_MESSAGE_HERE"Only invoke the skill for clear task-creation requests, and ensure the agent/runtime passes arguments safely rather than constructing an unescaped shell string.
Anyone or anything able to invoke the skill with those environment variables can send email through the configured SMTP account to the configured 2Do inbox.
The skill requires SMTP account credentials so it can send task emails. This is expected for the stated email-to-2Do integration, but it grants the skill email-sending authority through that account.
Required environment variables: - `TWODO_EMAIL` - `SMTP_HOST` - `SMTP_PORT` - `SMTP_USER` - `SMTP_PASS`
Use an app-specific password or a dedicated low-privilege email account, and avoid reusing a primary mailbox password.
Private reminders or task details will pass through the user's email provider and the mailbox monitored by 2Do.
Parsed task details and, in natural-language mode, the raw user input are placed in an email and sent through the configured SMTP provider to the configured 2Do mailbox.
await transporter.sendMail({
from: config.smtp.user,
to: config.twodoEmail,
subject,
text: body,
});Do not include highly sensitive information in task text unless you are comfortable sending it by email, and configure 2Do capture rules carefully.