4to1 Planner Bak
ReviewAudited by ClawScan on May 10, 2026.
Overview
The planner’s main purpose is coherent, but it asks for planning-account API tokens while the package identity is inconsistent and the shell helpers handle local config in risky ways.
Before installing, verify that this is the intended publisher/package despite the metadata mismatch. If you proceed, prefer a dedicated Notion page or local Markdown backend, use the least-privileged tokens available, restrict file permissions on ~/.config/4to1/config, and do not run the missing Google Calendar OAuth helper from an unverified source.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may be trusting a copied, backup, or mispackaged skill with access to planning accounts.
The internal package metadata identifies a different slug, owner, and version than the registry entry under review, which is a provenance mismatch for a skill that asks users to provide account tokens.
"ownerId": "kn7cdmnd107s52ptc87503mzyd80xyv7", "slug": "4to1-planner", "version": "2.0.0"
Verify the publisher and package provenance before entering API tokens; the registry metadata and packaged metadata should be aligned.
The Google Calendar path appears incomplete or unreviewable from the provided artifacts.
The Google Calendar OAuth setup points to gcal_setup.py, but that file is not included in the supplied file manifest.
echo " python3 $(dirname $0)/gcal_setup.py"
Do not fetch or run an outside OAuth helper unless you can verify its source; the package should include the referenced helper or remove the instruction.
Anyone or anything that can read the config file may be able to use your Notion or Todoist access.
The setup flow asks for provider API tokens and saves them locally in plaintext. This is expected for the integrations, but it is sensitive authority.
read -p "Paste your Notion API key: " notion_key echo "NOTION_API_KEY=$notion_key" >> "$CONFIG_DIR/config"
Use the narrowest possible provider token, share only the needed Notion page, protect the config file permissions, and avoid entering credentials until you trust the package.
If the config file is corrupted or tampered with, running the status script could execute unintended commands on your machine.
The status script executes the local config file as shell code instead of safely parsing key/value settings.
source "$CONFIG"
Replace shell sourcing with safe config parsing and ensure the config file is created with restrictive permissions.
The skill can create or update planning structures in your connected tools.
The skill documents direct API calls that create pages and databases in Notion. This is purpose-aligned but modifies a third-party workspace.
curl -s -X POST "https://api.notion.com/v1/pages"
Confirm the target page, project, or calendar before allowing setup or review actions to write changes.
Personal planning history may be read and reused during future agent conversations.
The weekly review flow reuses persistent planning data from the configured backend, which can include personal goals, habits, and reflections.
From the configured backend, pull: - Current 2-week sprint tasks and completion status - Active 3-month milestone progress - Last review
Use a dedicated workspace or local directory for this planner, and avoid storing sensitive personal information you do not want the agent to process.