push-task-to-negative-screen

High-level points to check before installing: 1) Config file access not declared: the code reads ~/.openclaw/openclaw.json for the skill config. If that file contains other secrets or configuration you do not want accessed, review the file and the code's exact read behavior. Prefer setting only the minimal today-task config entry. 2) Endpoint and data flow: the skill will POST your authCode, task_content and metadata to the configured pushServiceUrl. Default URL is a Huawei domain (hiboard-claw-drcn.ai.dbankcloud.cn). If you are uncomfortable with that destination, set pushServiceUrl to a trusted endpoint or run in dry-run mode for testing. 3) Local storage & logs: the skill creates logs/ and push_records/ and may save push responses. SECURITY.md says authCode is masked in logs, but you should inspect the saved files (or disable save_records) to ensure full tokens are not persistently stored. 4) Chat-based auth detection: scripts include an AuthCodeManager that can detect tokens in arbitrary text. Avoid pasting auth codes into chat; prefer setting authCode via openclaw config commands as instructed. 5) Network activity: update_checker and the push client perform outbound network requests (to ClawHub and to your configured pushServiceUrl). If network egress is a concern, run the skill in an isolated environment or disable update checks. 6) Recommended actions: review the code files (task_push.py, task_pusher.py, hiboards_client.py, config.py) to confirm what is logged and stored; set save_records=false if you don't want local records; set pushServiceUrl to a destination you control for testing; consider running the skill in a container or limited environment. Given the declared purpose is coherent with the code, but the undeclared global-config file access and the presence of auth-detection logic increase privacy risk, proceed only after reviewing/limiting configuration and storage settings.