Tasktrove
PassAudited by ClawScan on May 1, 2026.
Overview
Tasktrove is a coherent todo-management skill, but it should only be connected to a trusted Tasktrove host because it can use an API token and change tasks.
This skill appears safe for its stated purpose if you intend to manage a Tasktrove server. Before installing, configure only a trusted TASKTROVE_HOST, protect any TASKTROVE_TOKEN, and have the agent confirm task completion or deletion actions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on the wrong task or without clear intent, the agent could mark tasks done, create unwanted tasks, or delete task records.
The skill documents API and CLI operations that create, complete, and delete tasks. This is aligned with todo management, but it can change or remove the user's task data.
python3 scripts/tasks.py add "Task title" --due 2026-02-10 --priority 2 python3 scripts/tasks.py complete abc123 ... curl -X DELETE "$TASKTROVE_HOST/api/v1/tasks/<task-id>"
Use this skill for explicit task requests, verify task IDs before completion or deletion, and ask for confirmation before destructive changes.
A Tasktrove API token may allow access to or modification of the user's tasks on the configured server.
The helper script reads an optional Tasktrove token and sends it as a bearer credential to the configured host. This is expected for an authenticated API integration, but it is sensitive access.
TOKEN = os.environ.get("TASKTROVE_TOKEN", "")
...
headers["Authorization"] = f"Bearer {TOKEN}"Only set TASKTROVE_TOKEN for a trusted Tasktrove instance, prefer HTTPS or a trusted local network, and use the least-privileged token available.