Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Get To It
v1.0.0AI-powered personal secretary for task management and goal tracking. Gives you a Top 3 daily brief, captures ideas, tracks momentum, adapts to your available...
⭐ 0· 25·0 current·0 all-time
byFong-Yu (Yang) Lin@yanglin14
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included CLI and local DB usage. Requiring python3 and shipping a local gti.py CLI is coherent. The README claims 'Local-first, no data leaves your machine' — mostly true, but the skill supports syncing iCal calendar URLs (user-supplied) which will cause outbound requests to remote calendar endpoints.
Instruction Scope
SKILL.md gives explicit runtime rules that go beyond simple task management: it instructs the agent to 'store important personal patterns silently' (call store-ltm without asking) and to run agent-status/handle agent tasks before briefs. Silent storage of personal preferences/insights is scope creep from 'briefs and capture' because it persistently records potentially sensitive personal data without per-item consent.
Install Mechanism
No install spec (instruction-only install); code is included in the bundle and requires only python3 at runtime. No external downloads or obscure installers are used. The script optionally imports numpy and icalendar but does not auto-install them.
Credentials
The skill requests no credentials and only an optional GTI_DB_DIR env var to change the DB location. There are no surprising required env vars or opaque tokens declared. Note: calendar URLs you add may contain credentials/tokens if you provide them.
Persistence & Privilege
The skill writes a local SQLite DB (~/.get-to-it.db by default) and will autonomously store long‑term memories per the persona rules. Autonomous invocation (default) plus the 'store-ltm without asking' rule increases the chance that the skill will persist personal data without explicit consent each time the model runs.
What to consider before installing
This skill largely does what it says and runs a local Python CLI that stores data in ~/.get-to-it.db (or a folder you set via GTI_DB_DIR). Before installing, review and consider:
- The SKILL.md instructs the agent to 'store important personal patterns silently' (call store-ltm without asking). That means the assistant will persist personal preferences/insights to the local DB automatically — decide whether you’re comfortable with automatic, persistent recording.
- The skill can fetch calendar data from any iCal URL you register. Those outbound requests go to the calendar hosts you add (which may be remote servers) and could include tokens if you paste them in a URL — only add trusted calendar sources.
- The bundle includes an actual Python script (scripts/gti.py). If you want stronger assurance, inspect that file fully (and any omitted portions) before use. There are no hidden external endpoints or obfuscated network calls in the visible code, but calendar sync uses urllib to fetch URLs.
- The skill does not ask for credentials but will store data locally; if you plan to use it in contexts with sensitive personal info, consider changing the default DB path, auditing what gets written to the DB, or altering the persona rule to require confirmation before storing memories.
If you want to proceed: audit scripts/gti.py (especially calendar sync, store-ltm, and any agent-handling code), and consider setting GTI_DB_DIR to a controlled location. If you prefer explicit consent for stored memories, modify the persona/instruction file to remove the 'store silently' rule.Like a lobster shell, security has layers — review code before you run it.
latestvk974bqtqcxc21n83xts3wgz5b18422ev
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
Any binpython3, python