Todo Management 1.1.2
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward local SQLite todo manager, but it will run a local Bash script and persist or delete todo data in a workspace database.
This skill is reasonable for local todo management. Before installing, be aware that it runs a local shell script, creates or updates a workspace todo.db file, and can delete todo entries when asked; avoid putting secrets in todo text and do not run unnecessary npm install steps.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can change or delete entries in the local todo database when acting on todo-management requests.
The skill intentionally routes todo mutations through a local Bash CLI, including add, edit, move, remove, and clear operations.
All changes MUST happen through the CLI:
`bash {baseDir}/scripts/todo.sh ...`Use clear wording for delete or clear requests, and verify IDs when removing ambiguous tasks.
Anything placed in the todo list may persist locally and be shown later when the list is requested.
Todo text is stored persistently in a workspace SQLite database and may be read back in later sessions.
A per-workspace SQLite database: - Default: `./todo.db` - Override: `TODO_DB=/path/to/todo.db`
Avoid storing secrets or highly sensitive information as todo text, and set TODO_DB deliberately if using a non-default location.
If a user unnecessarily runs npm install in this skill folder, it may fetch an unrelated package that is not needed for the todo functionality.
The npm dependency is not explained by the Bash/sqlite3-based skill workflow and is not referenced by the README or SKILL.md setup instructions.
"dependencies": {
"package-lock.json": "^1.0.0"
}Do not run npm install for this skill unless the maintainer explains the dependency; maintainers should remove or justify the package files.