Todo Manager
PassAudited by ClawScan on May 10, 2026.
Overview
The artifacts look like a simple instruction-only todo manager, with only minor provenance and environment-declaration notes and no evidence of malicious behavior.
This appears safe to use as a basic todo skill based on the provided artifacts. Before installing, verify you trust the publisher and installer source, and be aware that task contents may persist as part of normal todo/reminder functionality.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user following the README would run the current latest ClawHub installer rather than a pinned version.
The installation example is user-directed and purpose-aligned, but `@latest` is mutable, so the exact installer code can change over time.
npx clawhub@latest install todo-manager
Install only from a trusted ClawHub/npm source, and prefer a pinned or official installer version if reproducibility is important.
The skill may appear to require a network-capable utility even though no reviewed instruction shows why it is needed.
The skill is otherwise instruction-only and the visible usage examples do not mention curl, so this dependency declaration is not explained by the provided artifacts.
"requires":{"bins":["curl"]}The publisher should remove the curl requirement if unused, or document exactly why it is needed.