Skillv1.10.2

ClawScan security

EffortList AI (Organize Your Life /w Safety) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 1:19 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: an instruction-only integration with EffortList AI that only requires a single service API key and contains no unrelated installs, binaries, or credential requests.
Guidance: This skill appears to legitimately implement an EffortList AI integration and only asks for the service API key. Before installing: 1) Verify you trust effortlist.io and the skill publisher (source is unknown in the registry metadata). 2) Prefer supplying the API key via an environment variable rather than writing it into OpenClaw's persistent config unless you understand the implications. 3) Be aware the key is persistent and grants full access to your EffortList data (including destructive operations and appointment cancellations); require explicit user confirmation before any destructive actions. 4) Confirm the developer subscription and key lifecycle (docs say keys are shown once and can only be revoked in the dashboard). 5) If you have concerns about scope, create a separate EffortList account or key you can safely revoke for testing. If you want a tighter review, provide the exact OpenClaw config behavior for stored secrets or evidence of the publisher's identity and website verification.

Review Dimensions

Purpose & Capability: okThe name/description describe task and schedule management and the SKILL.md + references exclusively document EffortList API endpoints and behaviors. The only required environment variable is EFFORTLIST_API_KEY, which is appropriate for a REST API integration. No unrelated services, binaries, or system access are requested.
Instruction Scope: noteRuntime instructions are focused on EffortList endpoints (create/list/patch/delete folders/tasks/todos, availability, undo/redo, /me) and include sensible safety guidance (rate limits, booking protections, timezone alignment). They do not instruct reading local files or other unrelated environment variables. Note: the doc suggests storing the API key in OpenClaw internal config (openclaw config set ...), which will persist the secret in agent config—this is expected but worth the user's awareness.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by the skill's package itself.
Credentials: okOnly EFFORTLIST_API_KEY is required and it directly matches the documented bearer-token authentication (efai_<48 hex chars>). No additional secrets, credentials, or unrelated env vars are requested.
Persistence & Privilege: notealways:false (no forced inclusion). disable-model-invocation is false (normal). The SKILL.md suggests storing the API key in OpenClaw config (persistent storage) which grants the agent ongoing access to the EffortList account while the key remains present—this is expected for convenience but is a persistent privilege the user should consider.