ClawHub

ClawKeeper — Tasks & habits in a plain markdown file

v0.2.2

Tasks and habits that live in a plain markdown file on your machine. Free, private, and claw-native.

0· 669·1 current·1 all-time
by@tallhamn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (local markdown task/habit manager) align with the declared requirements: it needs a 'clawkeeper' CLI and a directory (CLAWKEEPER_DIR) where markdown data is stored. Asking for CLAWKEEPER_DIR as the primaryEnv is slightly unusual (it's a path, not a secret) but not incoherent.
Instruction Scope
SKILL.md only instructs the agent to run the clawkeeper CLI against the directory in CLAWKEEPER_DIR and to perform periodic 'heartbeat' checks on tasks/habits. This stays within the skill's stated purpose. Note: because the CLI reads and writes whatever is under CLAWKEEPER_DIR, an attacker or misconfiguration that sets CLAWKEEPER_DIR to a sensitive location could expose or overwrite unrelated files. The instructions do not reference other env vars, system paths, or external endpoints.
Install Mechanism
Install is via the npm package 'clawkeeper' which creates the 'clawkeeper' binary. Using npm for a CLI is reasonable; npm packages carry the usual supply-chain risk (packages can execute arbitrary code during install). There is no direct download from an unknown URL in the spec.
Credentials
Only CLAWKEEPER_DIR is required, which is proportionate to a local file-backed CLI. However, treating a path as the primary credential is odd; confirm you trust the directory value. If CLAWKEEPER_DIR points to a shared or sensitive folder, the skill (and the CLI it runs) could read/modify unrelated files.
Persistence & Privilege
always is false and the skill does not request system-wide changes or persistent/always-on inclusion. Model invocation is allowed (the platform default), which is expected for a usable skill. The skill does not claim to modify other skills or global agent settings.
Assessment
This appears to be a straightforward CLI-driven task manager. Before installing: (1) verify the npm package source and maintainers (npm packages can run code during install); (2) ensure CLAWKEEPER_DIR is set to a directory you control (not /, /etc, your home dir root, or any sensitive path) and give it appropriate permissions; (3) consider running the npm install in a sandbox or review the package code if you need higher assurance; (4) be aware that if multiple agents share the same CLAWKEEPER_DIR, they will read/write the same data which may affect privacy.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kpfz1kzjexv3mn8pdjsm3n819w9e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsclawkeeper
EnvCLAWKEEPER_DIR
Primary envCLAWKEEPER_DIR

Install

Install via npm
Bins: clawkeeper
npm i -g clawkeeper

Comments