ClawHub

Tasktrove

v1.0.0

Manage todos via Tasktrove API. Use for listing, creating, completing, or updating tasks. Triggers on task/todo requests like "what's on my todo list", "add a task", "mark X done", "what's due today".

0· 1.3k·0 current·0 all-time
by@willwebberley
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included CLI and API usage. The included script and SKILL.md implement listing, adding, completing, and searching tasks against a Tasktrove API, which is appropriate for the stated purpose. HOWEVER the registry metadata claims no required env vars/credentials while the SKILL.md and script clearly require TASKTROVE_HOST (and optionally TASKTROVE_TOKEN). This metadata omission is an inconsistency.
Instruction Scope
SKILL.md and the CLI script confine actions to calling the Tasktrove API (HTTP requests to TASKTROVE_HOST). Instructions do not request unrelated local files or system state, nor do they instruct exfiltration to external endpoints other than the configured TASKTROVE_HOST.
Install Mechanism
There is no install spec; the skill is instruction-only with a small Python CLI included. Nothing is downloaded from external URLs or installed automatically.
!
Credentials
The skill legitimately needs TASKTROVE_HOST and may use TASKTROVE_TOKEN for auth — those are proportional to its function. The concern is that the registry lists no required env vars/primary credential while both the SKILL.md and scripts/tasks.py require TASKTROVE_HOST (the script exits if it's missing) and optionally use TASKTROVE_TOKEN. That mismatch reduces transparency and could mislead users about what secrets/config are needed.
Persistence & Privilege
The skill does not request permanent presence (always=false), does not modify other skills or global agent configuration, and does not request elevated privileges.
What to consider before installing
This skill appears to implement a legitimate Tasktrove client, but the registry metadata does not declare environment variables that the skill actually requires. Before installing or using it: 1) Confirm the skill's origin — source/homepage are missing. 2) Expect to set TASKTROVE_HOST (required) and optionally TASKTROVE_TOKEN; the script will send your token and requests to whatever host you configure, so only point it at a trusted Tasktrove instance. 3) Review the included scripts/tasks.py yourself (it's short and readable) to verify there are no surprises. 4) Ask the publisher to correct the metadata so required env vars/primary credential are declared. If you cannot verify the source, treat the skill as higher risk and avoid supplying real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e0dpw8gfwwnezkce26mb0zd80m7sx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments