super-product
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Super Productivity CLI helper, with the main cautions being an external Python package install and user-directed commands that can change or delete task data.
Reasonable to install if you intend to manage Super Productivity from the command line. Before installing, verify the `super-productivity-cli` package source, and during use confirm IDs before edit/delete/log commands. Be cautious with `--full` output or any cloud sync setup because task data may contain private work or personal details.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could change or remove tasks, counters, or time logs in the user's Super Productivity data.
The skill documents commands that can modify, complete, or delete local task data. This is expected for a task-management CLI and the instructions say modifications require IDs, but users should review high-impact actions before running them.
`sp task edit <task-id> --title "<新标题>"` ... `sp task done <task-id>` ... `sp task delete <task-id>`
Use list/search to confirm the correct ID, and require explicit user confirmation before running edit, done, log, or delete commands.
Installing the wrong or compromised package could affect the user's local environment.
The skill asks users to install an external Python package. This is central to the CLI purpose, but the registry metadata provides no source/homepage or install spec, so package provenance should be checked.
pip install super-productivity-cli
Verify the package on the package index, check maintainer/project provenance, and install in a controlled Python environment if possible.
Private task names, project details, notes, or planning information could be displayed to the agent during normal use.
The CLI can list all tasks and output full entity data. That is purpose-aligned, but the resulting task/project content may enter the agent's context and should be treated as user data, not authoritative instructions.
`sp task list` | 列出所有任务 ... `--full`: 包含完整实体数据
Avoid using `--full` unless needed, and do not treat task descriptions or stored text as instructions for the agent.