Todo Manager

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user following the README would run the current latest ClawHub installer rather than a pinned version.

Why it was flagged

The installation example is user-directed and purpose-aligned, but `@latest` is mutable, so the exact installer code can change over time.

Skill content

npx clawhub@latest install todo-manager

Recommendation

Install only from a trusted ClawHub/npm source, and prefer a pinned or official installer version if reproducibility is important.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may appear to require a network-capable utility even though no reviewed instruction shows why it is needed.

Why it was flagged

The skill is otherwise instruction-only and the visible usage examples do not mention curl, so this dependency declaration is not explained by the provided artifacts.

Skill content

"requires":{"bins":["curl"]}

Recommendation

The publisher should remove the curl requirement if unused, or document exactly why it is needed.