Todo SQLite
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward local SQLite todo manager that stores and changes your todo data locally, with optional scheduled reminders and no shown credential or network use.
This skill looks proportionate for local todo management. Before installing, be comfortable with a local persistent todo database, use care with delete commands, avoid placing secrets in todo notes, and review or remove any scheduled reminders you create.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less external provenance to rely on when deciding whether to trust the skill.
The package has limited provenance information, although it does not show a remote installer, dependency download, or hidden helper setup.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install only if you trust the publisher or have reviewed the included artifacts enough for your use case.
An incorrect delete request could remove todo items or entire projects from the local todo database.
The skill intentionally exposes destructive todo/project deletion commands. This matches the todo-manager purpose, but these actions can remove user data if invoked carelessly.
todo delete-project <项目名> ... 删除项目(会删除项目下所有待办); todo delete <待办ID> ... 删除待办(会同时删除子待办)
Ask the agent to list or show the target item first, and require clear confirmation before deleting projects or todos.
Private or sensitive text entered into todos may persist locally and be shown again later.
Todo content is stored persistently in a local SQLite database, which is expected for this skill but means titles, notes, dates, and project names can remain available for future list/search/reminder outputs.
DB_PATH = os.path.expanduser("~/.openclaw/workspace/data/todo.db")Avoid storing secrets in todo titles or notes, and treat retrieved todo text as user data rather than as instructions for the agent.
If you set up reminders, the skill may continue surfacing pending todo data on the chosen schedule until the reminder is removed.
The documentation describes optional recurring reminders via OpenClaw cron. This is disclosed and user-directed, but it is a persistent scheduled action.
使用 OpenClaw 的 cron 功能设置定时提醒 ... 这会调用 `todo list-all --pending` 并发送结果。
Only create reminder schedules you actually want, and cancel them when they are no longer needed.