TODO Web App

Deploy a local TODO web app that reads and writes a Markdown TODO.md file. Serves a beautiful dark-themed, glassmorphism UI on the LAN (no HTTPS needed). Fea...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 23 · 0 current installs · 0 all-time installs

by@jwhowa

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description (local TODO web app) aligns with the provided server.js and SKILL.md. The script reads/writes TODO.md and TODO-done.md, serves UI over HTTP on port 3456, and includes archive/toggle behavior described in the README. The launchd autostart instruction matches the claimed auto-start behavior.

ℹ

Instruction Scope

Instructions are scoped to installing the script, adding an optional bg.jpg, and registering a macOS launchd agent. They direct reading/writing of TODO.md and TODO-done.md (explicitly one directory up from server.js). Note: the instructions modify user launch agents (persistent startup) and assume macOS; there is no guidance for other OSes. The app exposes an unauthenticated HTTP endpoint on the LAN and will accept toggle/archive actions from any LAN client—this is expected but a material security consideration.

✓

Install Mechanism

No install spec or external downloads are present; the skill is instruction-only plus a bundled server.js file. Nothing is pulled from remote URLs or extracted to disk by an installer. The only persistent installation step is the user copying a plist into ~/Library/LaunchAgents and loading it.

✓

Credentials

No environment variables, credentials, or external service tokens are requested. The script works with local filesystem files only (TODO.md, TODO-done.md, optional bg.jpg). Those file accesses are consistent with the described functionality.

ℹ

Persistence & Privilege

The skill does not set always:true and requires manual user action to install. However, the provided instructions ask the user to create/load a launchd agent, which grants persistent autostart on macOS. This persistence is proportional to the stated goal (auto-start), but users should review the plist and confirm paths/permissions before loading.

Assessment

This skill appears to do exactly what it says: run a local Node.js server that reads/writes TODO.md and archives completed items. Before installing: 1) Inspect server.js yourself (it modifies TODO.md and appends to TODO-done.md). 2) Place the script where you intend and ensure TODO.md is the correct file (it uses the parent directory of server.js). 3) Be aware it serves plain HTTP on your LAN without authentication—anyone on your local network who can reach your host:3456 can view and toggle tasks. Don't install on a machine with sensitive TODO.md contents or on an untrusted network. 4) When following the launchd steps, open the plist file and verify the node and server.js paths and the run arguments before running launchctl load; if you prefer not to auto-start, skip the launchd step. 5) Consider firewall rules or binding to localhost if you want to restrict access. If you want additional assurance, run the server inside a restricted account/container or change file permissions so only an intended user can edit TODO.md.

scripts/server.js:57

File read combined with network send (possible exfiltration).

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1

Download zip

latestvk970edjmf0ccp8ghgeznk6h3q18315zz

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

todo-webapp

A zero-dependency Node.js web app that turns your TODO.md into a live, interactive task board.

Preview

What it does

Serves a dark glassmorphism UI at http://<hostname>.local:3456 (LAN only)
Reads TODO.md directly — ## headings become section cards, ### become subheadings, - [ ]/- [x] become clickable items
Live updates via Server-Sent Events: any change to TODO.md (by the agent or anyone else) pushes instantly to all open browser tabs
Click to toggle: checking an item off saves immediately to TODO.md
Archive Done button: moves all [x] items to TODO-done.md with a date stamp and removes them from TODO.md
Auto-starts on boot and self-restarts on crash via macOS launchd

Setup

1. Copy the server script

Copy scripts/server.js to your desired app directory (e.g. ~/.openclaw/workspace/todo-app/server.js).

The server expects:

TODO.md at ../TODO.md relative to the script (i.e. one directory up)
TODO-done.md at ../TODO-done.md (created automatically if missing)
bg.jpg in the same directory as the script (optional background image)

2. Add a background image (optional)

Drop any bg.jpg into the same folder as server.js. It will be rendered at ~22% opacity behind the UI. Works best with abstract or dark imagery.

3. Install the launchd agent

Copy assets/com.todo.plist.template to ~/Library/LaunchAgents/com.todo.plist.

Edit the plist and update these two values:

The path to node (run which node to find it)
The path to server.js

Then load it:

launchctl load ~/Library/LaunchAgents/com.todo.plist

4. Open in browser

Navigate to http://<your-mac-hostname>.local:3456 from any device on your LAN.

Restart command

If you update server.js, restart with:

kill $(lsof -ti :3456) && sleep 1 && launchctl kickstart -k gui/$(id -u)/com.todo

TODO.md format

The app parses standard OpenClaw-style markdown:

## Section Name

### Subheading

- [ ] Open task
- [x] Completed task
- **Bold text** is rendered in item labels

Any section added to TODO.md appears automatically. No app restart needed.

Port

Default port is 3456. To change it, edit the PORT constant at the top of server.js.

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…