Back to skill
Skillv3.0.5
ClawScan security
Task Planner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 4:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are internally consistent with a local-only task manager: it only reads/writes a JSON file in your home directory and requires bash+python3.
- Guidance
- This skill appears to do exactly what it claims: local task management using a small bash wrapper and embedded Python. Before installing, consider: (1) data location — tasks are stored in ~/.task-planner/tasks.json by default (you can override with TASK_PLANNER_DIR); ensure you are comfortable with that file location and set filesystem permissions or backups if needed; (2) there is no network/cloud sync or external dependencies beyond bash and python3; (3) optional env var TASK_PLANNER_DIR is supported but not listed in metadata — if you rely on env isolation, be aware the script will read it; (4) if you want encryption or remote sync, this skill does not provide it. If any of these are concerns, review scripts/script.sh locally before use.
Review Dimensions
- Purpose & Capability
- okName/description promise a local task manager with no cloud sync; the script implements add/list/done and stores data in ~/.task-planner/tasks.json. Required binaries (bash, python3) match the implementation.
- Instruction Scope
- okSKILL.md commands map directly to the shell script functions. Runtime instructions do not attempt to read other system config, network endpoints, or external services; all actions are limited to creating/reading/writing the tasks JSON file.
- Install Mechanism
- okThis is an instruction-only skill with a small bundled script (no install spec or external downloads). No archives or third-party packages are fetched or executed during install.
- Credentials
- noteRegistry metadata declares no required environment variables, which is appropriate. The script does honor an optional TASK_PLANNER_DIR env var to override the data directory (not documented in SKILL.md's 'Requirements' section). This is reasonable and low-risk but worth noting since the script will read that env var if present.
- Persistence & Privilege
- okThe skill does not request permanent/autonomous privileges (always:false). It only creates a single directory under the user's home and a JSON file for tasks; it does not modify other skills or system-wide settings.