Checklist
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a local checklist/workflow skill with no credential or network behavior, but it stores agent task state locally and should not be treated as the only safety gate for real deployments or migrations.
This skill looks appropriate for local checklist management. Before installing or using it, confirm the local CLI setup and jq dependency, avoid recording secrets in task text, and keep human approval in front of any real deployment, migration, access-control, or notification actions described by its templates.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Task names, agent assignments, and workflow status may remain on disk and be reused in later sessions.
The skill creates persistent local storage for agent and checklist state, which can influence later workflow coordination.
CHECKLIST_DIR="${HOME}/.checklist" ... AGENTS_FILE="${CHECKLIST_DIR}/agents.json" ... mkdir -p "${CHECKLIST_DIR}" "${ACTIVE_DIR}" "${TEMPLATES_DIR}"Avoid putting secrets or sensitive incident details into checklist items, and periodically review or clear ~/.checklist when workflows are complete.
The skill may fail or behave unexpectedly if the local checklist command or jq dependency is not installed as expected.
The script depends on jq for core behavior, while the registry section declares no required binaries and no install spec.
if jq -e --arg name "$name" '.agents[] | select(.name == $name)' "$AGENTS_FILE" >/dev/null 2>&1; then
Before using it, verify how the checklist command is installed and that jq is present from a trusted package source.
If used with an autonomous agent that has deployment or infrastructure tools, a checklist item could lead to real production changes unless the user keeps approval controls in place.
The bundled workflow templates include high-impact operational tasks. They appear to be checklist reminders, not direct automation, but an agent could treat them as action steps in a broader workflow.
{"id": 9, "text": "Deploy to production", "required": true}Require explicit human confirmation before agents perform real deployments, migrations, access grants, notifications, or other external changes referenced by checklist items.
Users or agents may believe the tool is enforcing dependency order when this shown claim path may still allow out-of-order task claims.
The comment says claimed items have dependencies met, but the shown filter only checks status and assignment, not depends_on. This may overstate the dependency safety of this command path.
# Find first available item (not done, no assignee, dependencies met) local available=$(jq -r --arg agent "$current" '.items[] | select(.status == "pending" and (.assigned_to == null or .assigned_to == $agent)) | .id' "$active_file" | head -1)
Use checklist dependency checks as advisory, and manually verify ordering before performing high-impact workflow steps.