Back to skill
Skillv1.0.9
ClawScan security
Openclaw with Remember The Milk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 7:11 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested secrets match its claimed purpose (Remember The Milk integration); nothing in the package suggests hidden or unrelated behavior, but it does store credentials/tokens in the user's home directory in plaintext and the registry metadata has a minor mismatch with the plugin manifest.
- Guidance
- This package appears to be a straightforward Remember The Milk integration and is coherent with its README and code. Before installing: (1) verify you trust the skill source (the registry metadata lacks a homepage and the owner/slug are opaque); (2) expect the skill to save your API key/shared secret and the RTM auth token as plaintext JSON in your home directory (~/.rtm-credentials.json and ~/.rtm-token.json) — the code sets restrictive file permissions (0o600) but the contents are not encrypted; (3) if you prefer, use a secure secrets store rather than leaving keys in files or a .env; (4) if you uninstall, delete those files and revoke the RTM token in your RTM account; (5) the registry metadata inconsistency (required env vars: none vs plugin manifest listing required env vars) is a packaging/metadata issue — consider asking the publisher for clarification or reviewing the source code yourself before use.
Review Dimensions
- Purpose & Capability
- okThe skill claims to integrate Remember The Milk (RTM) and the code and README exclusively implement RTM API interactions. The plugin manifest (openclaw.plugin.json) declares RTM API credentials (RTM_API_KEY, RTM_SHARED_SECRET) which are exactly what the skill needs. Note: the registry metadata included with the submission listed 'Required env vars: none' which contradicts the plugin manifest and SKILL.md; this is an inconsistency in metadata but not evidence of malicious behavior.
- Instruction Scope
- noteSKILL.md and index.js instruct the agent/user how to obtain and store RTM credentials and authorize the app. The runtime instructions and code only read/write the skill's .env (in the skill folder) and three files in the user's home directory (~/.rtm-credentials.json, ~/.rtm-token.json, ~/.rtm-id-cache.json). The README warns that the token is saved in plaintext and the code sets file mode 0o600 when writing files. There are no instructions to read unrelated system files, other credentials, or to send data to unexpected endpoints; the network calls go to official RTM endpoints.
- Install Mechanism
- okNo external download/install spec is present (instruction-only install). SKILL.md suggests 'npm link' which is standard and package.json provides a bin entry. There are no remote downloads, URL shorteners, or archive extraction steps. The package's CLI entry points to test.js (used as a lightweight CLI/test runner) which is unconventional but not inherently risky.
- Credentials
- noteThe only secrets needed are the RTM API Key and Shared Secret and an RTM auth token; these are appropriate for the described purpose. The code persistently saves credentials and the auth token to files in the user's home directory; while file mode 0o600 is used, the token/credentials are stored in plaintext JSON. Also note the mismatch between the registry metadata (which shows no required env vars) and openclaw.plugin.json (which lists RTM_API_KEY and RTM_SHARED_SECRET).
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide agent settings. It persists its own credential and cache files under the user's home directory (normal for a CLI integration). The skill allows autonomous invocation (disable-model-invocation: false) which is the platform default; this combined with only RTM credentials does not create a disproportionate risk.