yf-memo
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent local memo/todo skill, but users should notice that it runs local shell scripts, stores task history in OpenClaw workspace files, and includes optional scheduling/test utilities that can affect those files.
This skill appears safe to use for local todo management if you are comfortable with it writing memo files under ~/.openclaw/workspace. Do not store secrets as todos, use the quoted command forms, and avoid running the test script on your real workspace unless you have backed up your memo files.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent followed the unquoted reference pattern instead of the safer quoted examples, unusual task text containing shell metacharacters could be handled unsafely.
The reference implementation shows shell command construction using extracted user task content without quoting. The main SKILL.md examples use quoted arguments, so this appears to be an implementation-quality note rather than hidden behavior.
result = exec_command(f'sh memo-helper.sh add {content}')Use the quoted command forms from SKILL.md and pass task text as a single argument; avoid constructing shell commands with raw user text.
Running the test script on a real workspace could remove current pending and completed memo items.
The test script deletes and later recreates the skill's memo files. It is scoped to this skill's local workspace data and is not shown as automatically executed, but running it could erase existing todos.
rm -f ~/.openclaw/workspace/pending-items.md 2>/dev/null rm -f ~/.openclaw/workspace/completed-items.md 2>/dev/null
Back up pending-items.md and completed-items.md before running the test script, or run tests in a disposable workspace.
Personal tasks and completion history will remain on disk and may be visible to anyone or any tool with access to the OpenClaw workspace.
The skill persistently stores user task descriptions and completed-task history in local OpenClaw workspace files, which is expected for a memo system.
TODO_FILE="$HOME/.openclaw/workspace/pending-items.md" DONE_FILE="$HOME/.openclaw/workspace/completed-items.md"
Avoid storing highly sensitive secrets in todo items, and manage file permissions/backups for the OpenClaw workspace.
If enabled, the skill may run a daily local summary job that reads pending items and writes a memo log.
The hook documentation describes optional scheduled daily summaries. This is disclosed and purpose-aligned, and the artifacts do not show a hidden auto-installed background process.
Sets up cron job - Optionally configures daily summary at 10:00 AM
Enable the cron/hook option only if you want scheduled summaries, and review or remove the scheduled job if you no longer need it.
Manual installation can lead to path or permission mistakes, and users rely on the copied local scripts for behavior.
Setup is manual and depends on local script files being copied and made executable, while the registry summary says there is no install spec. This is not suspicious by itself, but users should verify the files they install.
Place the entire yf-memo directory into ~/.openclaw/skills/ Ensure scripts are executable: chmod +x scripts/*.sh
Install only from a trusted copy of the skill directory and review the scripts before making them executable.