TODO Tracker (Safe)
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward local TODO tracker; the main things to notice are expected local file persistence and task-file modification.
This looks reasonable for normal TODO use. Before installing, be comfortable with a persistent local TODO file, avoid putting secrets in tasks, and keep TODO_FILE pointed at a dedicated TODO document.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can create, edit, and delete entries in the chosen TODO file; if TODO_FILE is pointed at the wrong file, the user could affect unintended local content.
The script creates and rewrites the configured TODO file, including removing matching TODO lines. This is expected for the stated purpose, but it is still local file mutation.
TODO_FILE="${TODO_FILE:-${HOME}/.openclaw/workspace/TODO.md}"; grep -vF -- "$found_line" "$TODO_FILE" > "$tmp_file" && mv "$tmp_file" "$TODO_FILE"Use the default path or a dedicated TODO file, and review requests that mark tasks done or remove tasks.
Sensitive task text, or instruction-like text saved as a TODO item, may be shown to the agent in future sessions.
The skill stores TODO items across sessions and may surface summaries automatically, so user-supplied task text can persist and reappear in later agent context.
Use for task management across sessions... 心跳时自动显示摘要
Do not store secrets in TODO entries, and treat TODO contents as user data rather than as instructions unless the user explicitly confirms them.