NextCloud Deck Tracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a plausible NextCloud task tracker, but it tells the agent to log every request, use an undeclared external CLI with credentials, and can send background status notifications to an unclear default recipient named “Skander.”
Review this skill before installing. Only use it if you understand which `deck` CLI will run, where your NextCloud credentials are stored, which board will be modified, and who receives monitor notifications. Avoid the default monitor target unless you explicitly intend to notify that recipient.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Task status or user-request details could be sent to an unintended person, chat target, or agent if the default is used.
The monitor can send repeated notifications to an unclear default recipient. The artifacts do not explain who or what 'Skander' is, whether this is the installing user, or what task details are included.
Additionally, it sends a chat notification to the specified `target_id` (defaults to Skander) every 120 seconds.
Require an explicit user-configured notification target, document the destination clearly, and avoid any named default recipient.
Sensitive or casual user requests may be written to a NextCloud Deck board without a separate tracking decision.
This directs the agent to automatically create a persistent external task record for every user request, rather than only when the user asks to track a task.
Track Everything: `deck add ... --progress` is your first action for any user request.
Limit automatic tracking to explicit task-management requests or require user confirmation before recording request details externally.
The agent may rely on an unreviewed or unrelated `deck` executable from the user’s environment to perform account-changing actions.
The reviewed package contains no `deck` implementation, while the skill instructions depend on invoking a `deck` command that can mutate NextCloud data.
No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Package or declare the exact CLI dependency, pin its source/version, and declare required binaries and credentials in metadata.
Installing users need to understand that the skill can act on their NextCloud Deck account using the configured app password.
The skill requires NextCloud account credentials, which is expected for managing a user’s Deck board, but the registry metadata declares no credentials or environment variables.
export DECK_USER="your_username" export DECK_PASS="your_app_password" # Use an App Password!
Declare the required credentials and environment variables in metadata and recommend a least-privilege app password if available.
A monitor process may keep posting updates until the card is moved out of the In Progress stack.
Background monitoring is disclosed and related to long-running task tracking, but it persists beyond the immediate command and repeatedly mutates remote task state.
Spawns a background process that appends a "Still working..." log entry every 60 seconds.
Document how to list and stop monitors manually, and require explicit user approval before starting background monitoring.
Details from completed tasks could be reused in future agent memory, including information the user did not intend to persist.
The skill encourages using completed task data for long-term memory, which is related to its tracking purpose but lacks clear retention, filtering, or consent boundaries.
Memory Synthesis: Before archiving, use `deck dump-done` to parse the day's work and reinforce long-term memory.
Explain what memory store is updated, what data is included or excluded, and ask before persisting sensitive task summaries.