ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Todo Management 1.1.2

Per-workspace SQLite todo manager (./todo.db) with groups and task statuses (pending/in_progress/done/skipped), operated via {baseDir}/scripts/todo.sh for adding, listing, editing, moving, and removing entries and managing groups.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 1.8k · 2 current installs · 4 all-time installs
by@Lucky-2968
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the delivered assets: a bash CLI script that manipulates a local SQLite DB (default ./todo.db). Declared required binary (sqlite3) is exactly what's needed. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
SKILL.md narrowly instructs the agent to run the bundled script and defines strict rules (no extra file writes, only show lists on request, short confirmations). The visible script implements database operations only (groups/entries) and uses only sqlite3, sed and shell builtins. I saw no instructions to read unrelated files, send data to external endpoints, or access unrelated environment variables.
Install Mechanism
This is instruction-only / script-included with no install spec. No downloads or archives are fetched at install time, which minimizes installation risk.
Credentials
No credentials or sensitive env vars are required. The single optional environment override TODO_DB is reasonable for a DB-backed todo tool. (Note: pointing TODO_DB to an arbitrary path will cause the script to read/write that file—expected but something to be careful about.)
Persistence & Privilege
The skill does not request persistent system-wide presence (always:false). Its persistent state is limited to the SQLite DB in the workspace (or a path chosen via TODO_DB). It does not modify other skills or global agent config.
Assessment
This appears to be a simple local todo script that only needs sqlite3. Before installing, (1) review the full todo.sh (the provided excerpt is mostly visible but the file was truncated in the listing) to confirm there are no network calls or eval/exec of user content; (2) ensure you do not set TODO_DB to a sensitive system path; (3) run the script in a safe test workspace to verify behavior (it will create/modify a local todo.db file); (4) the skill does not request credentials, but keep in mind the agent can run the script autonomously (normal behavior) — if you want to restrict that, disable autonomous invocation in your agent settings.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97d5w5sgmcw9nk7qsdwdq9a3180gp4y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binssqlite3

SKILL.md

Todo Management

What this skill controls

A per-workspace SQLite database:

  • Default: ./todo.db
  • Override: TODO_DB=/path/to/todo.db

All changes MUST happen through the CLI: bash {baseDir}/scripts/todo.sh ...

Statuses

pending (default), in_progress, done, skipped

Default list hides done and skipped unless --all or --status=....

Non-negotiable rules

1) No file writing (ever)

  • Do NOT create or edit any files (e.g., todos.md, notes, markdown, exports).
  • Do NOT output “filename blocks” like todos.md (...).
  • The only persistent state is in todo.db, mutated by todo.sh.

2) Never print the todo list unless explicitly asked

  • If the user does NOT ask to “show/list/print my todos”, do NOT paste the list.
  • Default behavior after mutations: one short confirmation line only.

3) Keep replies extremely short

  • After success: respond with ONE line, max ~5 words (translate to user’s language yourself).
  • Do not include bullets, tables, code blocks, or tool output unless the user explicitly asked for the list/details.

Allowed confirmations (English examples; translate as needed):

  • “Done.”
  • “Added.”
  • “Updated.”
  • “Removed.”
  • “Moved.”
  • “Renamed.”
  • “Cleared.”
  • “Added to the list.”

4) Ambiguity handling (the ONLY exception to rule #2)

If the user requests a destructive action but does not specify an ID (e.g., “remove the milk task”):

  1. run entry list (optionally with --group=...)
  2. show the results (minimal table)
  3. ask which ID to act on

This is the only case where you may show the list without the user explicitly requesting it.

5) Group deletion safety

  • group remove "X" moves entries to Inbox (default).
  • Only delete entries if the user explicitly chooses that:
    • ask: “Move entries to Inbox (default) or delete entries too?”
    • only then use --delete-entries.

Commands (use exactly these)

Entries

  • Add:
    • bash {baseDir}/scripts/todo.sh entry create "Buy milk"
    • bash {baseDir}/scripts/todo.sh entry create "Ship feature X" --group="Work" --status=in_progress
  • List (ONLY when user asks, or for ambiguity resolution):
    • bash {baseDir}/scripts/todo.sh entry list
    • bash {baseDir}/scripts/todo.sh entry list --group="Work"
    • bash {baseDir}/scripts/todo.sh entry list --all
    • bash {baseDir}/scripts/todo.sh entry list --status=done
  • Show one entry:
    • bash {baseDir}/scripts/todo.sh entry show 12
  • Edit text:
    • bash {baseDir}/scripts/todo.sh entry edit 12 "Buy oat milk instead"
  • Move:
    • bash {baseDir}/scripts/todo.sh entry move 12 --group="Inbox"
  • Change status:
    • bash {baseDir}/scripts/todo.sh entry status 12 --status=done
    • bash {baseDir}/scripts/todo.sh entry status 12 --status=skipped
  • Remove:
    • bash {baseDir}/scripts/todo.sh entry remove 12

Groups

  • Create / list:
    • bash {baseDir}/scripts/todo.sh group create "Work"
    • bash {baseDir}/scripts/todo.sh group list
  • Rename (alias: edit):
    • bash {baseDir}/scripts/todo.sh group rename "Work" "Work (Project A)"
    • bash {baseDir}/scripts/todo.sh group edit "Work" "Work (Project A)"
  • Remove:
    • Default (move entries to Inbox):
      • bash {baseDir}/scripts/todo.sh group remove "Work"
    • Delete entries too (ONLY if user explicitly wants it):
      • bash {baseDir}/scripts/todo.sh group remove "Work" --delete-entries

“Clear the list” behavior (no list printing)

To clear the todo list:

  1. run entry list --all to get IDs (do NOT paste the results)
  2. remove each ID with entry remove ID
  3. reply with ONE line: “Cleared.”

If the user then asks to see the list, run entry list and show it.

Dialogue example (expected behavior)

User: "I need to buy milk, add it to my todo list" Agent: "Done."

User: "Oh, and I also need to clean the room" Agent: "Added to the list."

User: "Show my todos" Agent: (prints the list)

User: "Remove the milk one" Agent: (lists matching tasks + asks for ID, then removes when ID is provided)

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…