Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Todolist Md Clawdbot
v1.0.0Read, summarize, propose edits, and write back changes for Markdown todo files using line-stable bot markers without altering task identity.
⭐ 0· 606·0 current·0 all-time
by@nitsujy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Markdown todo editing) align with the included scripts which implement Google Drive access and in-file bot markers. However, the package metadata lists no required environment variables or config paths, while the scripts clearly require Drive OAuth tokens (ACCESS_TOKEN/REFRESH_TOKEN/CLIENT_ID/CLIENT_SECRET) and/or a gog account — this mismatch between declared requirements and actual code is notable.
Instruction Scope
SKILL.md rules and conventions are narrowly scoped to reading/writing Markdown with bot markers and minimizing LLM calls, which the code generally follows. But the runtime instructions and scripts reference and/or perform actions outside that narrow scope: reading /root/clawd/.secrets/gog.env, storing a refresh token file under /root/clawd/.secrets, and invoking sudo to run the 'gog' CLI as the 'ubuntu' user. Those filesystem and privileged interactions are not called out in the top-level metadata or prominently in SKILL.md.
Install Mechanism
There is no external install/download step (instruction-only/install-less). The skill bundles local scripts (Node/Python) and does not fetch arbitrary code from remote URLs during install. Risk from installation is therefore low; runtime risk comes from network calls the scripts make.
Credentials
The scripts expect Google Drive OAuth credentials (ACCESS_TOKEN, REFRESH_TOKEN, CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN_FILE) and gog-related credentials (GOG_ACCOUNT, GOG_KEYRING_PASSWORD, GOG_BIN). Those sensitive variables and a refresh token file are necessary for Drive access but were not declared in registry metadata. The skill persists tokens to disk under /root/clawd/.secrets, which is persistent and sensitive — proportionate for Drive integration but requires explicit user awareness and least-privilege configuration.
Persistence & Privilege
always:false (good), but the scripts persist refresh tokens to /root/clawd/.secrets/todolist_drive_oauth.json and expect a gog.env secrets file there. They also run sudo to call gog as another user. Persisting tokens and invoking sudo increase blast radius if the host or skill is compromised; these behaviors are not surfaced in the top-level metadata.
Scan Findings in Context
[oauth_token_exchange] expected: Scripts post to https://oauth2.googleapis.com/token to exchange auth codes/refresh tokens — expected for Google Drive integration.
[drive_api_calls] expected: Scripts call Drive endpoints (files, upload) via fetch — expected for Drive file download/update behavior described in SKILL.md.
[exec_sudo_gog] expected: Use of execFileSync/subprocess to run 'sudo -u ubuntu ... gog drive ls/download' aligns with SKILL.md references to the gog CLI, but it requires sudo privileges and environment secrets (GOG_ACCOUNT/GOG_KEYRING_PASSWORD) and thus should be highlighted to the user.
[write_refresh_token_file] expected: Script stores refresh_token under /root/clawd/.secrets/todolist_drive_oauth.json with 0o600 perms — expected for managed-OAuth flow, but this persistent secret storage is sensitive and not declared in registry metadata.
What to consider before installing
This skill implements a Drive-backed Markdown todo editor and will need Google Drive credentials (access token or CLIENT_ID/CLIENT_SECRET + auth flow) and, optionally, gog CLI credentials. Before installing: (1) understand you'll need to provide Drive/gog credentials and may need to run sudo for the gog CLI; (2) review and accept that the skill will store a refresh token under /root/clawd/.secrets (persistent secret on disk); (3) consider running it in an isolated account/container with least privilege, or modify the scripts to use a dedicated service account and a narrower OAuth scope; (4) verify the metadata mismatch (no declared env/config) with the publisher and ensure you supply only minimal credentials needed; and (5) inspect the scripts yourself (or have someone you trust do so) before granting access to sensitive accounts.Like a lobster shell, security has layers — review code before you run it.
latestvk971ye66vxrfa4va1cd1p4jcv18157gm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.