ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

4To1 Planner - AI Planning Coach

v2.0.0

AI planning coach using the 4To1 Method™ — turn 4-year vision into daily action. Connects to Notion, Todoist, Google Calendar, or local Markdown. Use when user wants to plan goals, do weekly reviews, track projects, or set up a planning system.

0· 1.2k·3 current·3 all-time
byMark Zhou@qingxuantang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (planning coach) match the behavior: scripts and instructions create/configure a backend, read/write Notion/Todoist/Calendar or local markdown, and use curl/python3 as declared. There are no unrelated binaries or credentials requested.
Instruction Scope
Runtime instructions ask the user to store API keys in ~/.config/4to1/config and the scripts source that file to call Notion/Todoist APIs or read local markdown — this is expected for the stated functionality. Note: SKILL.md and scripts reference slightly inconsistent variable names (NOTION_KEY vs NOTION_API_KEY / NOTION_PARENT_PAGE) which can break runtime behavior. The skill also references a gcal_setup.py for Google Calendar which is not included in the package.
Install Mechanism
No install spec or external downloads are used; the skill is instruction-only with included shell scripts. Nothing is fetched from arbitrary URLs or auto-executed from external hosts.
Credentials
No environment variables are declared in metadata, but the user is asked to place service API keys in a plaintext config at ~/.config/4to1/config (NOTION_API_KEY, TODOIST_API_KEY, etc.). These credentials are proportionate to the integrations; however storing long-lived API keys in a plaintext file in the home directory is a privacy/security tradeoff the user should consider.
Persistence & Privilege
Skill is user-invocable, not forced-always. It does not request elevated or persistent system-wide privileges and does not modify other skills or global agent config beyond creating its own ~/.config/4to1 and optional local plan directory.
Assessment
This skill appears coherent for a planning coach that integrates with Notion, Todoist, Google Calendar, or local Markdown. Before installing: (1) Review the included scripts yourself — they only read a config file and call official APIs, but you should verify variable names (the scripts use NOTION_API_KEY in some places and NOTION_KEY in others) and fix them if needed. (2) Be aware you will paste API tokens into ~/.config/4to1/config as plaintext; consider using a more secure storage mechanism or a short-lived integration if available. (3) The Google Calendar flow references a gcal_setup.py that isn't included — expect an extra step for OAuth. (4) Test the scripts in a safe environment first (non-production account or revoked test keys) and revoke API keys if you stop using the skill. (5) If you need a higher security posture, prefer the local Markdown backend to avoid sending data to third-party services.

Like a lobster shell, security has layers — review code before you run it.

latestvk9782n5jygb5k673xza99zp19s80w3sj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
Any bincurl, python3

Comments