Vikunja Fast
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can read Vikunja task data and, when instructed through the skill, update task completion status using the configured account.
The skill asks for a Vikunja JWT or username/password so it can authenticate API calls. This is expected for the stated integration, but it grants account-level task access.
export VIKUNJA_TOKEN="<jwt>" ... export VIKUNJA_USERNAME="<username>" ... export VIKUNJA_PASSWORD="<password>"
Use a revocable or least-privileged token if Vikunja supports it, verify `VIKUNJA_URL`, and keep any token or password stored in Clawdbot config private.
A task can be marked complete in Vikunja when the command is invoked with a task ID.
The helper performs an authenticated POST that changes a task to done when the `done` command is used. This matches the advertised mark-done feature, but it is still a mutating action.
api_get "/tasks/$task_id" | jq '.done = true | .done_at = null' | api_post_json "/tasks/$task_id" @-
Review task IDs before using the `done` command, and prefer read-only commands such as `overdue`, `due-today`, or `show` when you only need a summary.
Users have less provenance information about who maintains the skill, even though the supplied code is straightforward.
The artifact source is not identified, although there is no remote installer or hidden dependency and the included helper script is visible for review.
Source: unknown; Install specifications: No install spec — this is an instruction-only skill.
Review the included `vikunja.sh` before use and install only if you trust the publisher or have verified the script.