Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Claw List
v2.1.0Manage todo lists in PostgreSQL. Per-agent lists, optional categories, priorities, due dates. Triggers: "todo", "add task", "mark done", "what's due", "my ta...
⭐ 0· 260·1 current·1 all-time
byMorten Bojer@mbojer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (todo lists backed by Postgres via a central API) matches the included API docs and server code. Minor mismatch: SKILL.md and overview sometimes present the skill as an 'instruction-only' skill, yet a full server/stack is bundled in the repo — this is explained in docs (server/ included for self-hosting) but the registry metadata declared 'No install spec' which may mislead users about the presence of runnable server code.
Instruction Scope
SKILL.md instructs the agent to store 'conversation context' in the items.notes field when the user requests 'put that in the notes'. That means agent text (potentially sensitive) is intentionally transmitted to and persisted on an external HTTP service. The runtime steps also include writing a local conf and self-registering with POST /admin/agents. Reading/writing the conf in the skill directory is scoped, but the explicit remote storage of conversation text is a notable scope expansion from a simple local todo helper.
Install Mechanism
No install spec is provided and the skill runs via instructions / existing binaries on the agent; nothing is automatically downloaded or executed on install. The repository does include server code and Docker Compose for self-hosting, but those are optional manual deployment artifacts (not auto-installed by the agent).
Credentials
The agent-side skill requests no credentials (CLAW_LIST_URL and optional CLAW_LIST_AGENT_ID are provided by the user or openclaw.json). However, the skill's documented behaviour of storing conversation context remotely is disproportionate for a 'todo list' helper unless the user explicitly accepts remote persistence. Additionally, the bundled server's admin endpoints are documented as unauthenticated (no X-Agent-Id required) and the README notes 'Auth — no authentication currently' as a known gap; if the server is exposed to an untrusted network this becomes a significant risk to confidentiality and integrity of agent data.
Persistence & Privilege
The skill does not request 'always: true' and allows normal model invocation. Autonomous invocation (default) combined with the explicit instruction to persist conversation context remotely increases blast radius if the agent is allowed to run actions without user oversight. There is no indication the skill modifies other skills or system-wide configs.
What to consider before installing
Before installing or enabling this skill:
- Understand where CLAW_LIST_URL points. The skill will send conversation text to that URL (it stores 'conversation context' in the remote item's notes). Only use a CLAW_LIST_URL you control and trust (prefer an internal host on a private network or deploy the provided server locally).
- The bundled server currently advertises no authentication for admin endpoints and documents 'no auth' as a known gap — if you deploy it, do so behind an authenticated reverse proxy or on an isolated network.
- If you do not want any conversation content sent off the agent host, do not enable the feature that saves notes, or do not use this skill.
- Consider limiting autonomous invocation for this skill (require explicit user invocation) while you audit and test it, and review the server code (server/api/main.py) if you plan to host the backend.
- If unsure, deploy the server in a safe sandbox, exercise the endpoints, and verify that agent data is stored only where you expect before using it with real conversations.Like a lobster shell, security has layers — review code before you run it.
latestvk97fc2d4kx8xqkcpc6nb0zmynh84dmgq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.