TaskFlow

TaskFlow's code, required environment, and runtime instructions are consistent with a local, Node-based markdown→SQLite task manager; it asks only for a workspace path and Node and contains expected filesystem and macOS-Notes interactions.

This skill appears coherent and limited to local task management, but review these before installing: - OPENCLAW_WORKSPACE: set this to a directory you control (e.g., ~/.openclaw/workspace). The scripts will read/write everything under that path (PROJECTS.md, tasks/, memory/taskflow.sqlite, logs, taskflow.config.json). Do not point it at sensitive system directories. - LaunchAgent / daemon: the setup can install a macOS LaunchAgent (~/Library/LaunchAgents/com.taskflow.sync.plist) and call launchctl load. Installing that gives periodic background sync (60s). Only install the agent if you trust the code and want background sync; inspect the plist content before loading it. - CLI symlink: the README suggests linking the CLI into /opt/homebrew/bin or /usr/local/bin. Creating system-wide symlinks may require elevated privileges; prefer a user-local bin on Linux/macOS if you want to avoid system-wide changes. - Apple Notes access: the apple-notes-export script uses osascript to create/update Notes. On macOS you may need to grant automation/access permissions; the script writes a temporary HTML file and invokes osascript. Confirm the script's behavior and that project names or note titles cannot cause undesired AppleScript injection in your environment. - Offline/Network: the shipped scripts do not perform network requests or require external credentials. Example docs mention S3/CDN as an option for dashboards, but those are not part of the shipped code. - Review code: because this skill has runnable scripts that will execute on your machine, scan the repository (particularly scripts/install-daemon, task-sync, and apple-notes-export) and run them in a controlled environment (or with a non-privileged test workspace) before enabling automated agent use. If you want the lowest-risk setup: set OPENCLAW_WORKSPACE to a dedicated directory, run the setup interactively yourself (so you can decline the LaunchAgent), and avoid granting the agent permission to invoke the skill autonomously until you've validated behavior.