4to1 Planner
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read that local config file may be able to use the connected planning service with the token's permissions.
The setup script collects provider API tokens and saves them to ~/.config/4to1/config. This is expected for Notion/Todoist-style integrations, but these tokens are sensitive account credentials.
read -p "Paste your Notion API key: " notion_key
echo "NOTION_API_KEY=$notion_key" >> "$CONFIG_DIR/config"Use least-privilege integrations, share only the intended Notion page or project, protect ~/.config/4to1/config permissions, and revoke tokens when no longer needed.
Incorrect or unintended review outputs could change tasks, project progress, or planning notes in the connected backend.
The workflow tells the agent to write review results and update planning records. This is aligned with the planner purpose, but it is still mutation authority over user data.
## Step 3: Write Results - Sprint log entry: completed, planned, reflection, energy level - Next week's tasks linked to milestones - Updated project progress - Any Not-To-Do / Time Waster additions
Ask the agent to summarize proposed changes before saving, especially for calendar entries, active projects, or shared workspaces.
Personal planning information may be repeatedly read and used by the agent during future planning conversations.
The skill intentionally reuses persistent planning data as context for coaching. That is purpose-aligned, but the data may include personal goals, habits, blockers, and routines.
From the configured backend, pull: - Current 2-week sprint tasks and completion status - Active 3-month milestone progress - Last review (for continuity) - Not-To-Do list + Time Wasters list
Avoid storing highly sensitive personal details unless needed, choose the local Markdown backend if privacy is the priority, and periodically review what data is stored.
Google Calendar setup may fail, or a user may be tempted to obtain and run an unreviewed helper from elsewhere.
The setup script references scripts/gcal_setup.py, but that file is not listed in the provided manifest. The Google Calendar OAuth setup path therefore cannot be reviewed from these artifacts.
echo "📅 Google Calendar setup requires OAuth. Run:"
echo " python3 $(dirname $0)/gcal_setup.py"Do not run missing or externally supplied helper files unless you verify their source; use the included Notion, Todoist, or local Markdown paths if uncertain.
It may be harder to confirm exactly which package version or publisher identity the artifact represents.
The internal package metadata differs from the submitted registry metadata, which lists a different owner ID, slug, and version. This is a provenance/versioning inconsistency, not evidence of malicious behavior.
"ownerId": "kn7cdmnd107s52ptc87503mzyd80xyv7", "slug": "4to1-planner", "version": "2.0.0"
Verify the skill source and publisher before granting service tokens, especially if installing from outside the official registry.