Tiny Talking Todos
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent todo-list CLI skill, but users should notice it installs an external CLI, uses account login, can change or delete synced todo data, and may start a short-lived daemon.
Before installing, make sure you trust the external `@ojschwa/ttt-cli` package, authenticate only with the intended TinyTalkingTodos account, ask the agent to confirm deletes and bulk updates, avoid exporting credentials unless necessary, and stop the daemon if you do not want a background connection.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If allowed to act without review, an agent could change or delete synced todo data.
The skill documents commands that can delete lists even when they contain todos and can update multiple todo items at once. This is aligned with todo management, but it is mutating authority.
ttt list delete "Old List" --force ... ttt todo batch-update --items
Require explicit confirmation for delete, force-delete, and batch-update actions, and use the documented undo/history commands if a mistake is made.
Commands run through the authenticated CLI can act on the user's synced todo account; exported credentials could be reused by scripts or exposed in the environment.
The skill requires authentication to the user's TinyTalkingTodos account and includes an option to export credentials for scripts. This is expected for the service integration but is still account-level access.
Before using the CLI, the user must be authenticated: ... ttt auth login ... ttt auth export
Authenticate only with the intended account, avoid credential export unless needed, and log out on shared machines.
Installing the external CLI gives that package execution ability on the local machine when installed or run.
The skill depends on installing an external npm package globally rather than bundling reviewed code. This is a normal setup pattern for a CLI skill, but users should trust the package source.
npm install -g @ojschwa/ttt-cli
Install from the expected npm package and publisher, and keep the CLI updated from a trusted source.
A background process and network connection may remain active briefly after commands are used.
The skill discloses background daemon behavior and a persistent connection. It is bounded by an inactivity shutdown and is purpose-aligned for performance.
The daemon keeps a persistent WebSocket connection ... auto-starts on first command if not running ... auto-shuts down after 30 minutes of inactivity.
Use `ttt daemon status` and `ttt daemon stop` if you do not want the daemon to keep running.