Back to skill
Skillv1.0.0
ClawScan security
Task ToDo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 2:45 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements align with a simple local SQLite-backed TODO/task manager and do not request unexplained credentials, network access, or other elevated privileges.
- Guidance
- This skill appears internally consistent and implements a local SQLite-backed task manager. Before installing, consider: (1) The database file tasks.db will be created in the current working directory — avoid running it in directories containing sensitive files and check file permissions. (2) The skill has no network or credential access, so it does not exfiltrate data by design; nevertheless, avoid storing secrets in tasks. (3) If you allow autonomous agent invocation, the agent could create/read/update the local DB automatically — if that is a concern, run the skill manually or in an isolated environment. (4) If you want extra assurance, review or run the code in a sandbox (or a dedicated directory) and delete tasks.db when no longer needed.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included Python code all implement a local task/TODO manager using SQLite. There are no unrelated environment variables, binaries, or external services requested.
- Instruction Scope
- okRuntime instructions and the code confine operations to local task management and persistent storage in a local 'tasks.db' file. The SKILL.md does not instruct the agent to read unrelated files, network endpoints, or extra environment variables.
- Install Mechanism
- okNo install spec is provided and there are no external dependencies; the code uses Python's built-in sqlite3. Nothing is downloaded or written outside the included files and the local SQLite DB.
- Credentials
- okThe skill requires no credentials or environment variables. Its only persistent artifact is a local SQLite DB file (tasks.db), which is proportionate to the stated purpose.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated persistence. It creates/uses a database file in the current directory (tasks.db) — expected for local persistence and scoped to its purpose.