ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Todo Tracker (CN)

v1.1.0

生成、跟踪和验证待办列表的执行状态。提供 generate-todo-list, mark-completed, show-progress, verify-completion 四个核心动作。

0· 75·0 current·0 all-time
by@elderyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and code align: the included Python implements generate-todo-list, mark-completed, show-progress, and verify-completion and stores state in ~/.openclaw/workspace/todo-current.json. Required binary (python3) is appropriate.
Instruction Scope
Runtime instructions show how to run the included script and reference data at ~/.openclaw/workspace/todo-current.json, which matches the code. However SKILL.md and README also claim integration with a Self-Improving flow and writing to ~/self-improving/corrections.md (and elsewhere mention corrections.md/memory.md/heartbeat-state.md), whereas the code appends only to ~/.openclaw/workspace/MEMORY.md and only if that file already exists — the docs and examples overstate or mismatch actual behavior.
Install Mechanism
No install spec (instruction-only plus bundled Python file). Nothing is downloaded or executed outside the included script; risk from install mechanism is low.
Credentials
The skill requests no environment variables or external credentials. It only reads/writes files under the user's home (~/.openclaw). File access permissions declared in plugin.json (file.read/file.write) align with what the code does.
Persistence & Privilege
The skill writes persistent state to ~/.openclaw/workspace/todo-current.json and may append to ~/.openclaw/workspace/MEMORY.md if that file exists. always:false and no system-wide config changes; privileges are limited to user home paths.
What to consider before installing
This skill's code generally matches a basic todo tracker and does not request secrets or network access, but the documentation claims extra integrations and different file paths that the code does not implement. Before installing: (1) review the bundled todo_tracker.py to confirm you are comfortable with it writing to ~/.openclaw/workspace/; (2) if you expect integration with a Self-Improving system, verify or patch the code (it currently appends only to ~/.openclaw/workspace/MEMORY.md and only if that file exists); (3) consider creating a dedicated test account or sandbox to run the skill first; (4) if you need persistent archiving, either create the expected MEMORY.md or modify append_to_memory to write to your desired path. The inconsistencies look like sloppy documentation rather than malicious behavior, but verify behavior before granting broader trust.

Like a lobster shell, security has layers — review code before you run it.

chinesevk97d9t8r354re3j335fn8e848d83nke7latestvk97d9t8r354re3j335fn8e848d83nke7openclawvk97d9t8r354re3j335fn8e848d83nke7productivityvk97d9t8r354re3j335fn8e848d83nke7taskvk97d9t8r354re3j335fn8e848d83nke7todovk97d9t8r354re3j335fn8e848d83nke7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binspython3

Comments