Skillv1.0.0

ClawScan security

Cn Todo Today · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 1:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: A simple local todo manager that stores data in a JSON file in the user's home directory; functionality and requirements are proportionate, with minor documentation mismatches to review before use.
Guidance: This skill is a small, local todo manager and appears coherent with its description, but check a few things before installing: (1) verify the script path — examples assume cn_todo_today.py in the current directory but the file is provided under scripts/; (2) the SKILL.md mentions daily automatic cleanup but the script does not implement that — if you need that behavior you should update the script; (3) the todo data is stored as plaintext at ~/.cn_todo_today.json — if that is sensitive, secure the file (restrict permissions, move to an encrypted location, or avoid storing sensitive items); (4) review the included Python code yourself (it's short and readable) since the package is auto-generated and labeled "无人工审查" (no human review). If these points are acceptable, the skill's footprint is small and local.

Review Dimensions

Purpose & Capability: noteName/description (今日待办管理器) match the included script which implements add/list/done/delete/stats. No extraneous credentials, network access, or unrelated binaries are requested. Minor mismatch: SKILL.md claims "每天会自动清理已完成的待办" (daily automatic cleanup), but the shipped script contains no code to perform automatic daily cleaning.
Instruction Scope: noteSKILL.md usage examples call python3 cn_todo_today.py, but the repository provides scripts/cn_todo_today.py — user must run the script from the scripts directory or move it into PATH. The runtime instructions and the script operate only on a single local file (~/.cn_todo_today.json) and do not access other files, environment variables, or network endpoints.
Install Mechanism: okNo install spec is provided (instruction-only with an included script). Nothing is downloaded or written by an installer; risk from installation mechanism is minimal.
Credentials: okThe skill requests no environment variables, credentials, or config paths. It only reads/writes a JSON file in the user's home directory, which is consistent with its purpose. Note: stored todos are plaintext in ~/.cn_todo_today.json and therefore accessible to any account/process with access to the user's home directory.
Persistence & Privilege: okalways is false and the skill doesn't request persistent system privileges or modify other skills or system-wide settings. Autonomous invocation is allowed by default but not unusual; this skill's operations are local and low-privilege.