Notes Reminders
ReviewAudited by ClawScan on May 10, 2026.
Overview
The note/reminder purpose is reasonable, but the skill references missing Node scripts and includes an unscoped workflow that can send messages to a channel.
Review this skill before installing. Its basic purpose is benign, but the reviewed package does not include the scripts it tells the agent to run, and its reminder workflow can post messages to a channel without documented integration, credentials, or confirmation controls.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail to work or may cause the agent to execute code that was not included in the reviewed package.
The supplied file manifest contains only SKILL.md and no install spec, so the referenced required scripts are not supplied. If an agent tries to run these relative paths, the target code is missing or could resolve to unrelated local files.
"requires": { "scripts": ["scripts/notes.js", "scripts/reminders.js"] } ... node scripts/notes.js add ... node scripts/reminders.js check-and-fireDo not run the referenced node commands unless the scripts are supplied from a trusted source and are reviewed. The package should include the scripts or remove the runtime instructions.
A reminder could be posted to an unintended shared channel or account if the agent has access to messaging tools.
The workflow tells the agent to send reminder messages to a channel when reminders fire, but it does not define the messaging tool, require user confirmation, or limit which channels may be used.
`check-and-fire` の結果に fired リマインダーがあれば、該当チャネルにメッセージを送信: `リマインダー: {message}`Require explicit user confirmation and a clearly selected destination before posting, and document the intended messaging integration and allowed channel scope.
The agent may use whichever messaging identity or workspace access is available, which can create accidental posts under the wrong account or in the wrong workspace.
Sending to a channel implies delegated messaging or workspace permission, but the registry metadata declares no primary credential, environment variable, or integration scope for that authority.
--channel=C0AHBLQ0P32 ... 該当チャネルにメッセージを送信
Declare the required messaging service and permissions, and restrict posting to user-approved channels and accounts.
Personal notes or reminder text may be persisted somewhere not described by the package.
The skill is intended to store and retrieve user notes and reminders, which is purpose-aligned, but the artifacts do not describe storage location, retention, or reuse boundaries.
node scripts/notes.js add --title="アイデア" --content="新機能のアイデア..." ... node scripts/notes.js search --query="アイデア"
Only store information you are comfortable keeping in the skill, and prefer a version that documents storage path, retention, and deletion behavior.