Back to skill
Skillv1.1.0
ClawScan security
Task Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 5:41 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and code are consistent with a local SQLite-based task manager and do not request unrelated credentials or network access.
- Guidance
- This skill appears to be a simple, local SQLite task manager and is internally coherent. Before installing, you may want to: (1) review the remainder of task-manager.py (the provided listing was truncated) to confirm there are no network calls or unexpected file access; (2) run the script in a safe sandbox or non-production agent to verify behavior; and (3) be aware that the database is stored under the skill directory (data/tasks.db) so tasks remain local to that skill copy. Minor notes: _meta.json version fields slightly mismatch the registry metadata (likely benign) and the code builds some SQL fragments dynamically (limit and update column names) — if you plan to expose this to untrusted inputs, a code review for SQL-sanitization would be prudent.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included Python script align: a local SQLite task manager stored under the skill directory. Required binary (python3) and required files (task-manager.py) are appropriate.
- Instruction Scope
- okRuntime instructions are limited to running the included Python script and operating on a local DB at <skill-dir>/data/tasks.db. There are no instructions to read unrelated system files, contact external endpoints, or access environment variables.
- Install Mechanism
- okNo install spec; this is instruction-only with one bundled script. Nothing is downloaded or executed from remote URLs.
- Credentials
- okThe skill declares no environment variables or credentials, and the code does not attempt to read secrets or external service credentials. Requested access is minimal and proportional to the stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request permanent platform-wide privileges. The DB is stored within the skill directory (per SKILL.md), which limits its footprint to the skill workspace.