4to1 Planner Bak
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: 4to1-planner-bak Version: 1.0.0 The skill provides a comprehensive planning system but relies on high-risk capabilities, including shell command execution (curl, grep), local filesystem access for configuration (~/.config/4to1/), and the handling of sensitive API keys for Notion and Todoist. While these actions in SKILL.md and scripts/setup.sh are aligned with the stated purpose of a cross-platform planning coach, the use of raw shell commands to manage credentials and perform network operations meets the criteria for a 'suspicious' classification due to the inherent risk of these capabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may be trusting a copied, backup, or mispackaged skill with access to planning accounts.
The internal package metadata identifies a different slug, owner, and version than the registry entry under review, which is a provenance mismatch for a skill that asks users to provide account tokens.
"ownerId": "kn7cdmnd107s52ptc87503mzyd80xyv7", "slug": "4to1-planner", "version": "2.0.0"
Verify the publisher and package provenance before entering API tokens; the registry metadata and packaged metadata should be aligned.
The Google Calendar path appears incomplete or unreviewable from the provided artifacts.
The Google Calendar OAuth setup points to gcal_setup.py, but that file is not included in the supplied file manifest.
echo " python3 $(dirname $0)/gcal_setup.py"
Do not fetch or run an outside OAuth helper unless you can verify its source; the package should include the referenced helper or remove the instruction.
Anyone or anything that can read the config file may be able to use your Notion or Todoist access.
The setup flow asks for provider API tokens and saves them locally in plaintext. This is expected for the integrations, but it is sensitive authority.
read -p "Paste your Notion API key: " notion_key echo "NOTION_API_KEY=$notion_key" >> "$CONFIG_DIR/config"
Use the narrowest possible provider token, share only the needed Notion page, protect the config file permissions, and avoid entering credentials until you trust the package.
If the config file is corrupted or tampered with, running the status script could execute unintended commands on your machine.
The status script executes the local config file as shell code instead of safely parsing key/value settings.
source "$CONFIG"
Replace shell sourcing with safe config parsing and ensure the config file is created with restrictive permissions.
The skill can create or update planning structures in your connected tools.
The skill documents direct API calls that create pages and databases in Notion. This is purpose-aligned but modifies a third-party workspace.
curl -s -X POST "https://api.notion.com/v1/pages"
Confirm the target page, project, or calendar before allowing setup or review actions to write changes.
Personal planning history may be read and reused during future agent conversations.
The weekly review flow reuses persistent planning data from the configured backend, which can include personal goals, habits, and reflections.
From the configured backend, pull: - Current 2-week sprint tasks and completion status - Active 3-month milestone progress - Last review
Use a dedicated workspace or local directory for this planner, and avoid storing sensitive personal information you do not want the agent to process.