Todo management
Security checks across malware telemetry and agentic risk
Overview
This is a coherent local todo-list skill that stores tasks in a workspace SQLite database and has no artifact evidence of hidden network, credential, or exfiltration behavior.
This appears safe for managing local workspace todos. Before installing, be comfortable with the agent creating and modifying ./todo.db, and be careful with clear/delete requests. Do not store secrets in the todo list, especially in shared workspaces.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you ask the agent to clear or remove todos, it can delete entries from the workspace todo database.
The skill explicitly supports bulk deletion of local todo entries. This is purpose-aligned, but users should recognize that clear/delete requests mutate persistent local data.
To clear the todo list: 1) run `entry list --all` to get IDs ... 2) remove each ID with `entry remove ID`
Use clear/delete commands only when intended; ask the agent to list todos first if you want to verify what will be removed.
Personal or sensitive tasks saved as todos may remain in the workspace database until deleted.
Todo items are stored persistently in a local SQLite database and may later be listed back into the agent context.
The only persistent state is in `todo.db`, mutated by `todo.sh`.
Avoid storing secrets or highly sensitive information in todos, and protect or delete todo.db if the workspace is shared.
You have less publisher/source context for deciding whether to trust the included shell script.
The skill has limited provenance information, although the provided artifacts do not show a remote installer, hidden dependency, or suspicious download path.
Source: unknown Homepage: none
Install only if you trust the publisher or have reviewed the included script for your environment.