TODO Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a straightforward local TODO-list skill; the main things to notice are that tasks persist in TODO.md and done/remove commands use partial text matching.
This skill appears reasonable to install if you want a local persistent TODO.md file. Avoid putting secrets in the TODO list, review the file periodically, and use precise wording when removing or marking items done.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A vague remove or done request could change the wrong TODO entry, though the default impact is limited to the local TODO.md file.
The remove path uses a user-provided pattern in the TODO line deletion logic. This is expected for partial matching, but broad or regex-like patterns can remove more TODO entries than intended.
sed -i '' "/\- \[.\].*$pattern/d" "$TODO_FILE" 2>/dev/null || \
Use specific item text when marking items done or removing them. Maintainers should consider fixed-string matching, escaping pattern metacharacters, or confirming the matched item before deletion.
TODO items may reappear in future sessions or heartbeat reminders, and anyone or anything that edits TODO.md could influence those reminders.
The skill intentionally stores task data in a persistent workspace file that can be reused across sessions and heartbeat summaries.
Maintain a persistent TODO.md scratch pad in the workspace.
Do not store secrets or highly sensitive information in TODO.md. Review or clear the file periodically, especially in shared workspaces.