ClawHub
Back to skill
v1.0.0

Easy TODO list management for busy crustaceans and their humans

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:29 AM.

Analysis

This appears to be a coherent local TODO manager; it stores tasks on disk and can run scheduled briefings, but the behavior is disclosed and purpose-aligned.

GuidanceThis skill looks safe for its stated purpose. Before installing, make sure you are comfortable with a local Node.js script maintaining a persistent TODO file and with the agent sending scheduled morning and evening task summaries.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
Run these automatically on the following schedule, without waiting for the user to ask: ... 08:30 `briefing morning` ... 18:00 `briefing evening` ... Also run `materialize` once per day

The skill explicitly requests scheduled autonomous actions. They are limited to generating TODO briefings and updating recurring TODO items, which fits the stated reminder purpose.

User impactThe agent may send daily TODO summaries and update recurring tasks without you asking each time.
RecommendationInstall only if you want automatic reminders, and confirm your OpenClaw environment supports scheduling in a way you can disable.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
node ~/.openclaw/skills/todo/cli.js <command> [options]

The skill operates by running a local Node.js CLI. This is central to the skill's stated purpose and the included code is consistent with local TODO-file management.

User impactUsing the skill runs local JavaScript to read and update the TODO file.
RecommendationReview the included cli.js before installation if you are cautious about local code execution.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
All tasks are persisted in `~/.openclaw/skills/todo/todos.md`.

The skill keeps persistent user-provided task data and later reuses it in lists and briefings. This is expected for a TODO list but still creates persistent local context.

User impactTask titles, notes, tags, deadlines, and recurrence settings may remain stored locally and be repeated in later summaries.
RecommendationAvoid putting secrets or instruction-like text in TODO items, and periodically review or delete the local todos.md file if needed.