Pndr
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pndr Version: 1.0.20260202 The skill bundle is benign. It integrates with a personal productivity app (Pndr) via the Model Context Protocol (MCP). The `SKILL.md` provides clear instructions for setting up OAuth authentication with `pndr.io` using a standard `curl` command to obtain an access token. All listed tools and functionalities are consistent with a productivity application, such as managing tasks, habits, and journal entries, and there is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts against the agent. The `download_attachment` tool is a legitimate feature for retrieving user's own attachments from the Pndr service.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the configured token may be able to access and modify the user's Pndr data according to the token's permissions.
The skill requires OAuth credentials or an access token for the user's Pndr account. This is expected for the integration, but it is sensitive authority over the account.
Then provide your Pndr OAuth credentials when prompted.
Use a dedicated Pndr OAuth client or token if possible, avoid pasting secrets into ordinary chats, and revoke the token if you stop using the integration.
Mistaken or overly broad agent actions could remove or alter tasks, lists, journal entries, habits, packages, tags, or comments.
The MCP tool catalog includes destructive account operations. These are consistent with a productivity manager, but users should understand that the agent may be able to delete or change stored data.
`delete_list` - Delete a list and all its items
Ask the agent to confirm before deletions or bulk edits, and review important changes in Pndr when using the integration.
Private productivity and journal data may be included in AI interactions when the assistant uses the Pndr MCP tools.
The skill intentionally connects an AI assistant to private Pndr account data over MCP. This is the core purpose, but it means personal tasks, journal content, package data, and related records can be retrieved or changed through the integration.
Pndr exposes your personal productivity data through the Model Context Protocol (MCP), allowing AI assistants to interact with your tasks, habits, and journal on your behalf.
Only connect this skill to an assistant and MCP client you trust, and avoid storing highly sensitive journal entries or attachments if you do not want them accessible through AI tooling.