Remember The Milk
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Remember The Milk task-management skill, with important but disclosed risks around full-access RTM credentials, task deletion, and a plaintext local auth token.
This skill looks legitimate for RTM task management. Before installing, be comfortable granting delete-level RTM access, protect ~/.rtm_token with restrictive permissions, avoid sharing credentials with untrusted sub-agents, and confirm destructive actions such as task or note deletion.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could complete, move, tag, or delete tasks in the user's Remember The Milk account.
The skill exposes commands that can complete or delete RTM tasks. This is purpose-aligned for a task manager, but these actions mutate account data.
scripts/rtm.py complete LIST_ID SERIES_ID TASK_ID scripts/rtm.py delete LIST_ID SERIES_ID TASK_ID
Use clear user intent for write operations, and consider confirming destructive actions like delete before running them.
Anyone who can read the token file may be able to access or modify the linked RTM account, including deleting tasks.
The skill requires RTM credentials and stores a persistent token with the highest RTM permission tier. This is disclosed and supports the stated delete capability, but it is high-value account access.
Auth token: Stored as plain text at `~/.rtm_token` after interactive auth. This file grants full access to the linked RTM account... Permissions: The auth flow requests `delete` permission (RTM's highest tier)
Use a dedicated RTM API key if possible, restrict ~/.rtm_token permissions to the current user, and remove the token when persistent access is no longer needed.
Credentials could be exposed to less-trusted sub-agents or logs if passed carelessly.
The documentation describes forwarding RTM credentials explicitly when using sub-agents. This may be necessary for the workflow, but it broadens where secrets are handled.
Sub-agents: Env vars are not inherited. Pass them explicitly: RTM_API_KEY=... RTM_SHARED_SECRET=... python3 scripts/rtm.py <command>
Only pass RTM credentials to trusted execution contexts, avoid logging command lines containing secrets, and prefer scoped skill environment configuration where available.