ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Todo SQLite

v1.1.0

Manage multi-project todos with SQLite, supporting subtasks, priority/urgency levels, keyword search, time filters, smart sorting, and scheduled reminders.

0· 78·0 current·0 all-time
by@laoyutang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation intent: a local SQLite-based todo manager storing DB at ~/.openclaw/workspace/data/todo.db. The skill does not request unrelated credentials or binaries. However, the code and SKILL.md disagree on how importance/urgency are represented (SKILL.md says numeric 1/2/3; parts of todo.py use string labels like 'critical'/'high'/'medium'/'low' and other parts treat levels as ints). These inconsistencies suggest poor implementation or drift between docs and code.
Instruction Scope
SKILL.md instructions stay within scope: create/list/edit/delete todos, and using OpenClaw cron to run 'todo list-all --pending' for reminders. Instructions do not ask the agent to read unrelated files or environment variables, nor to send data to external endpoints beyond the platform's cron/send mechanism.
Install Mechanism
There is no install spec (instruction-only plus a bundled todo.py). Nothing is downloaded from external URLs and no installers are declared, so there is no install-time network risk. The script will create a local directory and DB file, which is expected.
Credentials
The skill requires no environment variables, no external credentials, and no config paths beyond its own DB path. That is proportionate for a local todo manager.
Persistence & Privilege
always is false and the skill does not request elevated or cross-skill configuration. It will create and write a single DB file under the user's home workspace, which is expected behavior.
What to consider before installing
This skill appears to be a local SQLite todo CLI and does not ask for secrets or network access, but there are notable incoherences between the documentation and the bundled Python code that could cause runtime errors or unexpected behavior. Before installing or enabling it: 1) Inspect the full todo.py for any network or subprocess calls (the provided portion shows none, but the file was truncated). 2) Be aware it will create/modify ~/.openclaw/workspace/data/todo.db — back up any existing data there. 3) Test the script in an isolated environment (container or throwaway account) to confirm it works and doesn't crash; several bugs are visible (mismatched types for importance/urgency, incorrect SQL ordering using string labels vs stored integers, and a join/print that may raise TypeError). 4) Prefer a skill with a known source/homepage or request the maintainer to fix the implementation/documentation mismatches before using it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c93nrmfdr7gj9snck6bm8q583ek86

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments