bun-do
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent local task-management helper, but it can change or delete local task/project data and relies on an external bun-do CLI not included in the review.
This appears safe to use if you trust the external bun-do CLI and want an agent to manage a local task database. Before installing, verify the package source, and tell the agent to confirm before deleting tasks/projects, clearing completed items, or making proactive end-of-day changes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could mark tasks done, delete tasks or projects, or add progress entries in the local bun-do database.
The skill documents mutating and destructive API actions, and also suggests proactive behavior. These actions fit a task manager, but accidental or autonomous use could change or remove local task/project records.
Delete task | DELETE | `/api/tasks/{id}` ... Delete project | DELETE | `/api/projects/{id}` ... Proactive patterns ... End of day: Mark completed tasks done, add entries to active projects.Use the skill for task management, but require explicit confirmation before deletes, bulk cleanup, or end-of-day automatic updates.
Installing the external CLI may execute code that was not part of this skill review.
The skill asks the user to install and run an external global CLI, while the supplied artifacts contain only SKILL.md and no reviewed package code or install spec. This is expected for an instruction-only local API integration, but users must trust the external `bun-do` package.
**Start**: `bun-do start` (install: `bun install -g bun-do`)
Verify the `bun-do` package source and version before installing it globally.
Your local bun-do data may contain sensitive personal information such as bills, deadlines, payment amounts, and project notes.
The skill stores task, payment, reminder, and project progress data persistently on disk. This is central to the stated task-manager purpose, but persistent local context can later influence agent behavior or expose personal planning information locally.
All data persists to JSON on disk. Nothing leaves your machine. ... **Data**: `~/.bun-do/`
Avoid storing secrets in tasks, review `~/.bun-do/` periodically, and correct stale or incorrect task data.