ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

待办大师

v1.0.0

用于本地待办管理的技能,支持基于 Python CLI 和 SQLite 存储待办;首次必须由用户确认数据目录(默认使用当前 skill 目录下的 data,或指定一个已存在的绝对路径);支持添加待办、快速添加今日/明日待办、查看今日待办、按状态/优先级/关键字筛选查看全部待办、查看单条、更新、完成、重开、归档,...

0· 102·0 current·0 all-time
byTQQ@asir-zhang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for asir-zhang/todo-master.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "待办大师" (asir-zhang/todo-master) from ClawHub.
Skill page: https://clawhub.ai/asir-zhang/todo-master
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install todo-master

ClawHub CLI

Package manager switcher

npx clawhub@latest install todo-master
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and scripts/todo.py consistently describe a Python CLI using SQLite for storage (config.json + todos.sqlite3). However, the included TECH_SPEC.md/INTRO.md repeatedly describe a JSON-monthly-file based storage/index.json design. This mismatch between the technical spec and the actual implementation is an incoherence: either the docs are stale or the implementation diverged. Also the default data directory is inside the skill directory (skill_root/data) which means the skill may write files next to its code unless the user explicitly chooses an external absolute path.
Instruction Scope
Runtime instructions are narrowly scoped to running the CLI and initializing a data directory; they explicitly require user confirmation of the data directory and instruct agents to use the CLI (not to edit DB directly). No instructions ask the agent to access unrelated files, env vars, or network endpoints. The only scope issue is the guidance to default to a data directory under the skill folder — agents or users should be careful which path they confirm.
Install Mechanism
No install spec or external downloads are present; the package is instruction/code-only and relies on the Python standard library. This is low-risk from an install/remote-code-fetch perspective.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond writing/reading its own config.json and a data directory chosen by the user. That is proportionate to a local todo manager.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill will write config.json into its skill_root and create the chosen data directory (default is skill_root/data) and a SQLite DB there. This level of persistence is normal for a local storage skill, but users should confirm and control the data directory path before initialization.
What to consider before installing
This skill appears to be a local Python CLI that stores todos in a SQLite DB and does not attempt network access or request secrets — that's good. However: - The included TECH_SPEC/INTRO docs describe a JSON-monthly-file storage model while the script implements SQLite; ask the publisher which storage format is authoritative or assume the implementation (todo.py) is the source of truth. Stale or mismatched docs are a sign to be cautious. - During first run you must explicitly confirm the data directory. Do NOT accept the default unless you want data written inside the skill's installation directory. Prefer specifying an absolute path under your home directory (e.g., /home/you/.local/share/todo-skill or C:\Users\You\todo-data) to avoid permission surprises and accidental writes to system locations. - Inspect scripts/todo.py yourself (or run it in an isolated environment/container) before giving it persistent access. The code included appears to only read/write local files and use SQLite, but you should verify no unexpected network or shell execution calls exist in the full file. - Make backups of any existing data you care about before running init or migrations (the script can migrate legacy JSON data into SQLite and could change file formats). If you need absolute confidence, ask the publisher to clarify the storage design (JSON files vs SQLite) and provide a signed release or more detailed changelog; otherwise run in a sandboxed environment and point the tool at a safe absolute data directory.

Like a lobster shell, security has layers — review code before you run it.

latestvk970mzgszrh64j172hwhp1sv9x83ced8
102downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
TQQ@asir-zhang
latest
Download

Todo Skill

适用场景

  • 需要在 OpenClaw 中维护本地待办,而不是依赖在线服务。
  • 需要一个稳定的 Python 脚本入口,方便被代理或自动化直接调用。
  • 需要让 skill 迭代升级时继续复用已有数据,而不是重建存储。

运行结构

脚本入口:

python3 ./todo-master/scripts/todo.py

主要文件:

  1. ./todo-master/config.json
  2. <data_dir>/todos.sqlite3
  3. ./todo-master/requirements.txt

默认数据目录:

  1. ./todo-master/data

依赖说明

运行环境:

  1. Python 3.10 或更高版本
  2. 当前实现仅依赖 Python 标准库,不需要额外第三方包

如需按统一流程安装,可执行:

python3 -m pip install -r ./todo-master/requirements.txt

初始化

首次使用前必须先让用户确认数据目录:

python3 ./todo-master/scripts/todo.py init --default
python3 ./todo-master/scripts/todo.py init --data-dir /absolute/existing/path

规则:

  1. --default 会使用当前 skill 目录下的 data/
  2. --data-dir 必须是一个已存在的绝对路径
  3. 未初始化前,除 initshow-config 外不要执行其他命令

命令说明

查看当前配置:

python3 ./todo-master/scripts/todo.py show-config

添加普通待办:

python3 ./todo-master/scripts/todo.py add --title "准备周报" --content "汇总本周项目进展" --priority 4
python3 ./todo-master/scripts/todo.py add --title "整理材料" --content "补齐投标附件" --priority 5 --due 2026-03-20
python3 ./todo-master/scripts/todo.py add --title "联系客户" --content "确认下周演示时间" --priority 3 --due 2026-03-20T18:30

快速添加今日/明日待办:

python3 ./todo-master/scripts/todo.py add-today --title "回邮件" --content "回复合作方案" --priority 3
python3 ./todo-master/scripts/todo.py add-tomorrow --title "开复盘会" --content "准备会议提纲" --priority 4

查看今日待办(按今天到期):

python3 ./todo-master/scripts/todo.py list-today
python3 ./todo-master/scripts/todo.py list-today --json

查看全部待办:

python3 ./todo-master/scripts/todo.py list-all
python3 ./todo-master/scripts/todo.py list-all --json
python3 ./todo-master/scripts/todo.py list-all --status open --min-priority 4
python3 ./todo-master/scripts/todo.py list-all --keyword "周报" --limit 10
python3 ./todo-master/scripts/todo.py list-all --overdue

查看单条:

python3 ./todo-master/scripts/todo.py show --id <todo_id>
python3 ./todo-master/scripts/todo.py show --id <todo_id> --json

更新、完成、重开、归档:

python3 ./todo-master/scripts/todo.py update --id <todo_id> --title "新标题" --priority 5
python3 ./todo-master/scripts/todo.py update --id <todo_id> --due 2026-03-21T18:00
python3 ./todo-master/scripts/todo.py update --id <todo_id> --clear-due
python3 ./todo-master/scripts/todo.py done --id <todo_id>
python3 ./todo-master/scripts/todo.py reopen --id <todo_id>
python3 ./todo-master/scripts/todo.py archive --id <todo_id>

查看统计:

python3 ./todo-master/scripts/todo.py stats

数据与升级规则

  1. 配置和数据分离:config.json 只保存数据目录和数据库文件名
  2. SQLite 使用 PRAGMA user_version 管理 schema 版本
  3. 启动时会自动执行向前兼容的 migration
  4. 若发现旧版 JSON 数据文件,会在首次打开 SQLite 时自动导入,避免已有数据丢失
  5. 不要手工修改 SQLite 文件

给代理的执行规则

  1. 新增待办时,titlecontentpriority 都必填
  2. priority 只能是 15
  3. list-today 的语义是“今天到期的待办”
  4. archive 是保留数据的软归档,不是物理删除
  5. 所有数据读写必须走 CLI,不要绕过脚本直接写数据库

Comments

Loading comments...