ClawHub

Taskify CLI

v1.0.3

Manage tasks and boards on Nostr relays via CLI to list, create, update, assign, complete, search, and export tasks with JSON support.

0· 109·0 current·0 all-time
by@ink-north
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Taskify CLI for Nostr) match the runtime instructions which direct the agent to install and use the taskify-nostr CLI. The SKILL.md's Node.js/npm install instructions and GitHub/npm links are coherent with the stated purpose. The skill does not declare unusual or unrelated privileges.
Instruction Scope
Instructions stay within the task management domain (list/create/update/delete boards/tasks, assign, export, etc.). Two important cautions are documented: (1) task syncs are published to Nostr relays (public by design) so data can be exposed depending on relay settings; (2) `taskify agent` forwards task text to an external AI backend — this is a potential data exfiltration/privacy risk if you send sensitive content. The SKILL.md warns about both, but the agent-run commands can still send data externally if configured.
Install Mechanism
This is an instruction-only skill (no install spec or code bundled). It recommends installing an npm package (taskify-nostr) from npm/github; the install is performed by the user/agent, not the platform. The guidance to verify the npm package and prefer local installs is appropriate.
Credentials
The skill declares no required environment variables or credentials. It documents local private key storage by the CLI and explicitly warns not to pass private keys via env vars. It also mentions configuring an AI backend (which may require credentials) but does not require any such variables itself — this is proportional but users should be aware that configuring the CLI/backend can introduce separate secrets outside the platform.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. As an instruction-only skill it does not write to disk itself. It does instruct use of a CLI that will store local config (including Nostr keys) — which is normal for a CLI tool and limited to that tool's config area.
Scan Findings in Context
[no-findings] expected: Regex-based scanner found no code files to analyze; this is an instruction-only skill (SKILL.md + reference docs) so static code findings are not applicable. Manual review focuses on the prose instructions.
Assessment
This skill is coherent with its description, but before installing or using it you should: (1) review the npm package and GitHub source the SKILL.md points to to ensure the upstream code is trustworthy; (2) prefer a local (non-global) npm install on shared systems and check where the CLI stores private keys (set file permissions appropriately); (3) avoid running `taskify agent` or forwarding board contents to any AI backend you do not control or fully trust; (4) be aware that Nostr relays receive task sync traffic — do not put sensitive data on boards or add untrusted relays. If you want higher assurance, inspect the taskify-nostr package source and its network behavior before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk979qgxqh8hjgtrgm0b5jfdy9d834969

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments