Vikunja Fast
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vikunja-fast Version: 1.0.0 The skill bundle provides a CLI helper (`vikunja.sh`) to interact with the Vikunja API for task management. It uses `curl` and `jq` to make authenticated requests to the `VIKUNJA_URL` (provided via environment variables or skill config). Authentication is handled by using a `VIKUNJA_TOKEN` or by logging in with `VIKUNJA_USERNAME` and `VIKUNJA_PASSWORD` to obtain a JWT. All network calls and data handling are directly related to the stated purpose of managing Vikunja tasks. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can read Vikunja task data and, when instructed through the skill, update task completion status using the configured account.
The skill asks for a Vikunja JWT or username/password so it can authenticate API calls. This is expected for the stated integration, but it grants account-level task access.
export VIKUNJA_TOKEN="<jwt>" ... export VIKUNJA_USERNAME="<username>" ... export VIKUNJA_PASSWORD="<password>"
Use a revocable or least-privileged token if Vikunja supports it, verify `VIKUNJA_URL`, and keep any token or password stored in Clawdbot config private.
A task can be marked complete in Vikunja when the command is invoked with a task ID.
The helper performs an authenticated POST that changes a task to done when the `done` command is used. This matches the advertised mark-done feature, but it is still a mutating action.
api_get "/tasks/$task_id" | jq '.done = true | .done_at = null' | api_post_json "/tasks/$task_id" @-
Review task IDs before using the `done` command, and prefer read-only commands such as `overdue`, `due-today`, or `show` when you only need a summary.
Users have less provenance information about who maintains the skill, even though the supplied code is straightforward.
The artifact source is not identified, although there is no remote installer or hidden dependency and the included helper script is visible for review.
Source: unknown; Install specifications: No install spec — this is an instruction-only skill.
Review the included `vikunja.sh` before use and install only if you trust the publisher or have verified the script.