ClawHub

Task Tracker

v1.0.0

Personal task management with daily standups and weekly reviews. Use when: (1) User says 'daily standup' or asks what's on their plate, (2) User says 'weekly review' or asks about last week's progress, (3) User wants to add/update/complete tasks, (4) User asks about blockers or deadlines, (5) User shares meeting notes and wants tasks extracted, (6) User asks 'what's due this week' or similar.

1· 2.9k·24 current·27 all-time
by@kesslerio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and CLI commands: scripts for listing, adding, completing, extracting, standup and weekly review exist and operate on a TASKS.md under ~/clawd/memory/work which is declared in the SKILL.md metadata. That is coherent for a personal task-tracker.
!
Instruction Scope
SKILL.md instructs running local Python scripts that will read/write ~/clawd/memory/work/TASKS.md and archive files. It also describes automatic posting to a Telegram journaling group and extraction from free-text meeting notes (which produces shell commands). The skill's runtime instructions allow executing generated shell commands and performing file writes; parsing arbitrary notes into commands can create risks (e.g., accidental command injection) if outputs are executed without review.
!
Install Mechanism
Registry metadata initially listed 'No install spec', but SKILL.md metadata contains an install entry that runs 'python3 scripts/init.py'. That is an on-disk install action (script execution) and should be reviewed; installer scripts can modify files. No external downloads are present, which lowers remote-code risk, but the presence of an install script that will be executed automatically is under-declared in the registry summary and is a mismatch to note.
!
Credentials
Registry lists no required environment variables, yet the docs/Automation claim posting to Telegram (and a scripts/telegram-commands.sh file exists). There is no declared TELEGRAM_TOKEN or similar credential in requires.env. If the skill posts to Telegram or other network endpoints, credentials and network destinations should be explicitly declared; absence is an incoherence and could hide required sensitive configuration or unexpected network behavior.
Persistence & Privilege
The skill does not set always:true and does not disable model invocation, so the model could invoke the skill autonomously. For a task manager that reads/writes local memory files, this is moderately privileged but not unusual. Because the skill can run local scripts and may post externally, consider disabling autonomous invocation or requiring explicit user confirmation for actions that modify files or send external messages.
What to consider before installing
This skill largely looks like a local task manager, but a few mismatches deserve attention before installing: - Review the actual script contents (scripts/*.py and scripts/telegram-commands.sh) before running the install or init script. The SKILL.md will run python3 scripts/init.py — inspect that script to see what files it creates or modifies. - Check for network calls in the scripts (HTTP requests, curl, or use of telegram APIs). If the skill is going to post to Telegram, it should declare the TELEGRAM_TOKEN or similar credential; absence of such an env var in the registry is suspicious. Don't provide secrets until you confirm where/how they're used. - Be cautious with the extract_tasks flow: it parses free text and emits shell commands like tasks.py add ... — ensure those outputs are never executed automatically on untrusted input to avoid injection. Prefer manual review of extracted commands or add sanitization. - Because the model can invoke the skill by default, consider setting disableModelInvocation or requiring explicit user triggers if you want to avoid autonomous modifications to your TASKS.md. If you want higher confidence, provide the contents of the scripts (init.py, tasks.py, extract_tasks.py, telegram-commands.sh) so they can be inspected for network destinations, shell execution, credential use, or writes to paths outside ~/clawd/memory/work.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rmxqfn4qjz2gsj4h4dnm9n7zmw19

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis

Comments