ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TodoWrite Router

v0.1.0

Route TODO checklists to the right storage. session - in-session tracking via /wip, file - persistent TODO (fix_plan.md, TODO.md), issue - team-shared via Gi...

0· 85·0 current·0 all-time
byes6kr@drumrobot

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for drumrobot/todowrite.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "TodoWrite Router" (drumrobot/todowrite) from ClawHub.
Skill page: https://clawhub.ai/drumrobot/todowrite
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install todowrite

ClawHub CLI

Package manager switcher

npx clawhub@latest install todowrite
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and routing behavior in SKILL.md are consistent: the skill routes TODOs to session (/wip), local files (fix_plan.md, TODO.md), or GitHub Issues as described. The declared depends-on: [wip] matches the session routing.
Instruction Scope
SKILL.md instructs the agent to write/edit local markdown files and to run `gh issue create`/`gh issue list` for team-shared TODOs. It explicitly states issue creation only runs with user approval. However the document references the `gh` CLI but the skill metadata does not declare any required binaries — an operational/information mismatch that could cause unexpected behavior if `gh` is absent or not authenticated.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes disk/write risk because nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required environment variables or credentials, but GitHub issue creation via the `gh` CLI normally requires authentication (gh auth or GITHUB_TOKEN). The absence of declared credentials is not necessarily malicious, but it is an omission the user should be aware of before expecting issue creation to work.
Persistence & Privilege
The skill does not request always-on presence and uses standard user-invocable/autonomous invocation defaults. It does not request system-level configuration changes or persistent installation artifacts.
Scan Findings in Context
[no-findings] expected: The static regex scanner found no code to analyze. This is expected for an instruction-only skill; the SKILL.md is the primary security surface.
What to consider before installing
What to check before installing: 1) Confirm the `wip` skill the document depends on is present and trusted — this skill delegates session tracking to it. 2) Ensure the GitHub CLI (`gh`) is installed and authenticated if you want issue creation to work; otherwise the skill will fail or prompt for credentials. 3) Understand where files (fix_plan.md, TODO.md) will be written and who can access them — back up or sandbox if needed. 4) Note the SKILL.md says it will only run `gh issue create` with explicit user approval; verify that your agent's invocation settings and prompts align with that expectation. 5) If you require stronger assurances, ask the skill author to declare required binaries and authentication steps (or provide an install spec) so you can audit behavior ahead of time.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744p128ypa6h2y887tsw1nhx8447tw
85downloads
0stars
1versions
Updated 3w ago
v0.1.0
MIT-0
es6kr@drumrobot
latest
Download

TodoWrite

Route TODO checklists to the appropriate storage based on context.

Routing Decision

New TODO arrives
  ├─ Only needed this session → /wip (TaskCreate/TodoWrite)
  ├─ Persists beyond session → file (fix_plan.md, TODO.md)
  └─ Team-shared → issue (GitHub Issues)

Topics

TopicStorageLifetimeTool
sessionTaskCreate/TodoWriteSession/wip skill
filefix_plan.md, TODO.mdWhile file existsWrite/Edit
issueGitHub IssuesPermanentgh issue create

Session → /wip

Current session task tracking is handled by the wip skill:

/wip    # Track session work with TodoWrite/TaskCreate

File-based TODO

fix_plan.md (Ralph projects)

## Pending

- [ ] Item 1 — description
- [ ] Item 2 — description

## Completed

- [x] Done item — (completed: 2026-04-03, commit abc1234)

Rules:

  • Move to Completed section on completion + timestamp
  • Mark blocked items with [BLOCKED] tag
  • Mark skipped items with [SKIPPED] tag

TODO.md (General projects)

# TODO

## High Priority
- [ ] Urgent item

## Normal
- [ ] Regular item

## Done
- [x] Completed item (2026-04-03)

Issue-based TODO

Team-shared TODOs go to GitHub Issues:

# Create issue (user approval required)
gh issue create --title "Item" --body "Description"

# List issues
gh issue list --label "todo"

Note: gh issue create only runs when user explicitly says "create an issue".

Routing Examples

SituationRouteReason
"Run this 5-step deploy"/wip (session)Session tracking is sufficient
"Fix this bug later"file (fix_plan.md)Persists beyond session
"Assign this to Jinju"issue (GitHub)Team sharing needed
"Note this from the review"file (fix_plan.md)Outside current PR scope

Comments

Loading comments...