Vikunja Tasks
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vikunja-tasks Version: 1.0.0 The skill bundle is designed to manage tasks and projects on a self-hosted Vikunja instance. It utilizes `curl` to interact with the user-configured Vikunja API endpoint (`VIKUNJA_URL`) using a provided `VIKUNJA_TOKEN`. All network calls are directed to this specified endpoint, and there is no evidence of data exfiltration to unauthorized external destinations. The `SKILL.md` includes instructions for setting up a cron job with a message to the agent for proactive task notifications, which is a form of prompt injection, but its intent is clearly benign and aligned with the skill's stated purpose of providing task notifications, not to subvert agent behavior or access unrelated sensitive data. The `vikunja.sh` script uses `jq` for JSON parsing and `python3` for URL encoding, which are standard and appropriate practices.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent passes attacker-controlled or specially crafted search/filter text, code could run on the local environment where the skill executes.
SEARCH and FILTER are placed directly inside Python source code instead of being passed as argv or environment data. A crafted value containing a single quote can break out of the string and execute arbitrary Python code.
python3 -c "import urllib.parse; print(urllib.parse.quote('$SEARCH'))" ... python3 -c "import urllib.parse; print(urllib.parse.quote('$FILTER'))"Fix the script before use by passing values safely, for example: python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))' "$SEARCH". Avoid passing untrusted search/filter strings until patched.
The skill can access and change Vikunja data allowed by the provided token.
The skill uses a Vikunja bearer token for read/write API calls, including creating tasks and marking tasks complete. This is expected for the stated purpose, but it is account authority.
AUTH="Authorization: Bearer ${VIKUNJA_TOKEN}"; RESPONSE=$(api_put "projects/${PID}/tasks" "$BODY"); RESPONSE=$(api_post "tasks/${ID}" '{"done": true}')Use the least-privileged Vikunja API token available, keep it out of shared shells/logs, and revoke it if the skill is no longer needed.
Users may not realize from the registry metadata that they must provide a token and have local command-line tools available.
The registry metadata advertises no required binaries or credentials, while the provided script requires VIKUNJA_URL/VIKUNJA_TOKEN and uses local tools such as curl, jq, python3, and date. This is a disclosure/setup gap rather than hidden install code.
Required binaries (all must exist): none; Required env vars: none; Primary credential: none
Declare the required environment variables, credential, and runtime tools in metadata so users can review the access and dependencies before installation.
If configured, the agent will periodically query Vikunja and send task information to the chosen Telegram channel.
The documentation suggests an optional scheduled job that continues checking tasks and delivering notifications after setup.
clawdbot cron add ... --message "Check Vikunja for overdue and upcoming tasks (next 24 hours). If any are found, notify me with the list." ... --deliver ... --channel telegram
Only add the cron job if you want proactive reminders, verify the delivery channel, and remove the cron job when it is no longer needed.