ClawHub

Manage Your Family's todos

v1.0.0

Manage family todo lists with multi-user support

3· 1.7k·2 current·2 all-time
by@thurendous
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (todo.js) implements a local, file-backed multi-user todo manager consistent with the name/description. However SKILL.md references Telegram IDs in configuration even though the code does not talk to Telegram, and SKILL.md and code use different labels ('Shared' in SKILL.md vs 'Family' checked in code). These are coherence/clarity issues but not direct evidence of malicious behavior.
!
Instruction Scope
SKILL.md instructs editing todo.js and running node commands (expected). However the SKILL.md was flagged for unicode-control-chars (prompt-injection pattern) — hidden/control characters may be present in the instructions. That, plus the misleading Telegram-ID guidance (which implies external integration that does not exist), means you should inspect the SKILL.md and the top of todo.js carefully before use.
Install Mechanism
No install spec; skill is instruction-only with a single Node.js script. Nothing is downloaded or written to system locations by the installer. This is low-risk from an install perspective.
Credentials
Registry metadata lists no required env vars, but todo.js reads optional environment variables (TODO_ADMIN_ID, TODO_PARTNER_ID, TODO_GROUP_ID). These are not declared by the skill metadata — a mismatch. The env vars appear to hold user IDs (not secrets), so risk is low, but the omission is an inconsistency the author should clarify.
Persistence & Privilege
The skill does not request persistent/always-on privileges. It writes a single JSON file under the current working directory (memory/todo.json), which is consistent with its purpose and has limited scope.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md triggered a unicode-control-chars detection. Hidden control characters in instruction text can be used for prompt-injection or to hide content; this is unexpected for a simple README and should be inspected in a raw text editor to confirm no hidden instructions or manipulative payloads exist.
What to consider before installing
What to check before installing: - Open SKILL.md in a plain-text editor or hex viewer and remove/inspect any strange or invisible characters (the pre-scan flagged unicode-control-chars). - Inspect todo.js yourself (it's included). Confirm it only reads/writes memory/todo.json and does not call external network endpoints or execute other programs. The provided file appears local-only and safe on that basis. - Note the metadata/README mismatch: SKILL.md mentions TELEGRAM IDs but the script does not connect to Telegram; clarify with the author if you expected messaging integration. Also SKILL.md uses 'Shared' while the code checks for 'Family' — fix the labels to avoid surprises. - The script optionally reads TODO_ADMIN_ID, TODO_PARTNER_ID, TODO_GROUP_ID env vars but these were not declared in the registry metadata. These are likely benign (user IDs), but treat them as configuration, not secrets. - Run the script in an isolated environment (or with a backup) the first time to confirm it creates only memory/todo.json and behaves as expected. If you plan to put the todo file in a shared location, ensure file permissions are set appropriately. - If you are unsure about the hidden-character finding or the metadata discrepancies, contact the publisher for clarification or avoid installing until resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk978c0dhamhbg846jwykdx5jxx80qvwh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments