4To1 Planner - AI Planning Coach
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent planning helper that uses expected planning-service access, with user-visible cautions around API tokens, local stored plans, and shell setup scripts.
Before installing, decide which backend you trust for your planning data. If using Notion or Todoist, create a dedicated/scoped integration where possible and keep ~/.config/4to1/config private. Avoid the Google Calendar setup path until the missing helper script is provided.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tokens can give the skill access to your planning data in those services, depending on the token or integration scope.
The setup flow asks for third-party API tokens and stores them in a local config file so the planner can access Notion or Todoist.
read -p "Paste your Notion API key: " notion_key ... echo "NOTION_API_KEY=$notion_key" >> "$CONFIG_DIR/config"
Use a dedicated Notion integration shared only with the intended parent page, use the least-privileged Todoist token available, and revoke tokens if you stop using the skill.
Running these commands will modify the connected planning workspace by creating planner pages and databases.
The skill documents API calls that create pages and databases in the user's Notion workspace.
curl -s -X POST "https://api.notion.com/v1/pages" ... curl -s -X POST "https://api.notion.com/v1/databases"
Only allow the agent to run setup or write commands after you choose the backend and confirm the target workspace or project.
If the local config file were manually edited or tampered with, running the status script could execute unexpected shell commands.
The status script loads the config file as shell code rather than parsing it as simple key-value data.
source "$CONFIG"
Keep ~/.config/4to1/config private and trusted; maintainers should parse config values safely and set restrictive file permissions.
Your goals, tasks, reviews, and habits may be stored and reused as context for future planning conversations.
Weekly reviews intentionally read and reuse stored planning state, reflections, and personal productivity lists.
From the configured backend, pull: Current 2-week sprint tasks and completion status ... Last review ... Not-To-Do list + Time Wasters list
Use the local Markdown backend if you want offline storage, and review what you store in connected services before letting the agent read or update it.
The Google Calendar option may not work as documented, and its OAuth behavior is not reviewable from the provided artifacts.
The Google Calendar setup path references gcal_setup.py, but that helper is not included in the provided file manifest.
echo " python3 $(dirname $0)/gcal_setup.py"
Do not use the Google Calendar option until the missing helper script is supplied and reviewed.