ClawHub

Flatnotes + Tasks.md GitHub Audit

v1.0.0

Thoroughly audit Tasks.md + Flatnotes for drift and accuracy; use GitHub (gh CLI) as source of truth to detect stale notes/cards and missing links. Produces a report and an optional fix plan.

2· 1.5k·2 current·2 all-time
by@branexp

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for branexp/flatnotes-tasksmd-github-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Flatnotes + Tasks.md GitHub Audit" (branexp/flatnotes-tasksmd-github-audit) from ClawHub.
Skill page: https://clawhub.ai/branexp/flatnotes-tasksmd-github-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install flatnotes-tasksmd-github-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install flatnotes-tasksmd-github-audit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The declared purpose (audit Tasks.md + Flatnotes using GitHub as source of truth) matches what the script does: it reads local Flatnotes and Tasks folders, parses a project registry, and calls the gh CLI to reconcile PRs. Small inconsistency: the registry metadata lists no required binaries, but the runtime expects Node (to run the .mjs) and the gh CLI; SKILL.md mentions gh behavior but the manifest does not declare these as required.
Instruction Scope
Instructions and code are narrowly scoped to auditing: they read files under the configured Tasks.md and Flatnotes roots, parse content, and optionally create limited Flatnotes files when asked. There are no instructions to read unrelated system config, environment secrets, or to send arbitrary data to external endpoints. GitHub access is via the local gh CLI, which will use the user's existing gh authentication if present.
Install Mechanism
No install spec is present (instruction + bundled script only). No downloads or external installers are executed by the skill. The included script is plain JavaScript (no obfuscation) and will run under Node when invoked.
Credentials
The skill requests no credentials or special env vars in the manifest and only uses two optional env vars (TASKS_ROOT, FLATNOTES_ROOT) to override defaults. It does rely on the user having gh configured for GitHub checks, but it does not demand tokens itself. The main proportionality note is the manifest not declaring 'gh' / 'node' as required binaries.
Persistence & Privilege
The skill does not request persistent presence (always:false). It writes report outputs to a tmp directory and may create new Flatnotes files only when explicitly asked; SKILL.md includes guardrails to ask before destructive actions.
Assessment
This skill appears to do what it claims: it reads your Tasks.md and Flatnotes data and uses the local gh CLI to compare PRs. Before installing/running: 1) Verify you are comfortable that the script will read files under the default paths (/home/ds/...) or set TASKS_ROOT/FLATNOTES_ROOT to point to the correct locations. 2) Ensure Node and the gh CLI are available and that you understand gh will use your existing GitHub authentication (the skill does not request tokens itself). 3) Run it in report-only mode first (no auto-fixes) and review tmp/flatnotes-tasksmd-audit.{md,json}. 4) If you allow auto-fixes, back up Flatnotes/Tasks.md first and review which auto-fixes the tool will perform (it claims to only create missing notes, add ADR links, move specific cards, and add missing pointers; it should ask before renames/deletes). 5) If you want to be extra cautious, inspect scripts/audit.mjs yourself or run it in a non-production copy of your data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711vtc0vdz2s35231nhgkm3s80n9rg
1.5kdownloads
2stars
1versions
Updated 2mo ago
v1.0.0
MIT-0
@branexp
latest
Download

Flatnotes + Tasks.md + GitHub Audit

Use this skill when Brandon asks to audit the Flatnotes/Tasks.md system for accuracy and ensure it’s up to date, using GitHub as the source of truth.

Quick start

Run the bundled auditor (report-only):

node skills/flatnotes-tasksmd-github-audit/scripts/audit.mjs --since-days 30 --write

Outputs:

  • Markdown report: tmp/flatnotes-tasksmd-audit.md
  • JSON report: tmp/flatnotes-tasksmd-audit.json

If gh is not authenticated, the audit still runs but GitHub checks will be marked as SKIPPED_GITHUB.

Data sources (defaults)

  • Tasks.md root: /home/ds/.config/appdata/tasksmd/tasks
  • Flatnotes root: /home/ds/.config/appdata/flatnotes/data
  • Flatnotes “system notes” mirror in workspace: notes/resources/flatnotes-system/

Override via env vars:

  • TASKS_ROOT
  • FLATNOTES_ROOT

Audit goals (what “accurate” means)

A) Board hygiene (Tasks.md)

  • Global lanes exist: 00 Inbox, 05 Backlog, 10 Next, 20 Doing, 30 Blocked, 40 Waiting, 90 Done.
  • Lane rule preference: prio-p2 lives in 05 Backlog by default (no prio-p2 in 10 Next).
  • Doing WIP ≤ 3 (preference).
  • Cards should be consistently formatted (Outcome/Steps) and tagged (proj/prio/eff/type).
  • Blocked cards include Unblock:.
  • Project cards include a Flatnotes pointer (Flatnotes: ...).

B) Project completeness (Flatnotes)

For each active project in SYS Workspace - Project Registry:

  • Required project notes exist:
    • PJT <slug> - 00 Overview
    • PJT <slug> - 10 Research
    • PJT <slug> - 20 Plan
    • PJT <slug> - 90 Log
  • Hub note has:
    • Current status (1–3 bullets)
    • Links section with repo + Tasks filter
    • Decisions section linking relevant ADR(s)

C) GitHub truth reconciliation (GitHub = source of truth)

For each project repo in the registry:

  • Open PRs should have a corresponding Tasks card (Doing/Next/Blocked/Waiting) OR an explicit reason why not.
  • Recently merged PRs should be reflected somewhere:
    • preferably a short note in the project log (PJT <slug> - 90 Log) + hub status update, or
    • a Done card with PR link.
    • (Audit treats either as reconciled; it may warn if a merged PR is only on a Done card but missing from the log.)
  • Done cards should ideally include a PR link when work was shipped via PR.

Workflow (recommended)

  1. Parse registry

    • Read SYS Workspace - Project Registry from Flatnotes.
    • Extract: slug, status, Tasks tag, GitHub repo URL.

  2. Scan Tasks.md

    • Index cards by lane and by proj-* tag.
    • Flag lane rule violations (prio-p2 in Next, etc.).
    • Flag cards missing Flatnotes pointer.

  3. Scan Flatnotes

    • Check required project notes exist.
    • Check hub Decisions section links ADR notes.

  4. GitHub cross-check

    • Use gh:
      • gh pr list --state open --json ...
      • gh pr list --state merged --search "merged:>=<date>" --json ... (or equivalent)
    • Try to match PRs ↔ Tasks cards using:
      • PR URL in card content
      • PR number
      • Title substring heuristic

  5. Report

    • Output: summary + per-project drift list + fix plan.

Applying fixes (guardrails)

Default is report-only.

If Brandon explicitly asks to apply fixes:

  • Safe auto-fixes allowed:
    • create missing Flatnotes notes (10 Research, etc.) using existing templates
    • add missing ADR links to hub Decisions section
    • move prio-p2 from Next → Backlog
    • add missing Flatnotes pointers to Tasks cards
  • Anything that renames files or deletes content: ask first.

Bundled code

  • scripts/audit.mjs — generates the report (Markdown + JSON). If needed, patch it rather than rewriting.

Comments

Loading comments...