Back to skill

Security audit

Todo List 待办事项管理

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent todo/reminder skill, but it needs Review because it persists chat and cron state and still contains unsafe shell-based cron deletion paths despite claiming that issue was fixed.

Review before installing. Use it only if you are comfortable storing todo data, copied attachments, reminder metadata, and chat routing under OpenClaw memory, and with reminders/status lists being sent through the configured OpenClaw channel. The shell=True cron cleanup code should be fixed before broad use, especially on systems where local reminder files could be edited or shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 删除所有关联的 cron 任务
    for job_id in reminders[reminder_name].get("job_ids", []):
        try:
            subprocess.run(f"openclaw cron delete {job_id}", shell=True, capture_output=True)
        except:
            pass
Confidence
98% confidence
Finding
subprocess.run(f"openclaw cron delete {job_id}", shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if reminder_name in reminders:
        for old_job_id in reminders[reminder_name].get("job_ids", []):
            try:
                subprocess.run(f"openclaw cron delete {old_job_id}", shell=True, capture_output=True)
            except:
                pass
Confidence
98% confidence
Finding
subprocess.run(f"openclaw cron delete {old_job_id}", shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 删除旧的 cron 任务
        for job_id in new_reminder.get("job_ids", []):
            try:
                subprocess.run(f"openclaw cron delete {job_id}", shell=True, capture_output=True)
            except:
                pass
Confidence
98% confidence
Finding
subprocess.run(f"openclaw cron delete {job_id}", shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 先删除旧的 cron
            for job_id in old_reminder.get("job_ids", []):
                try:
                    subprocess.run(f"openclaw cron delete {job_id}", shell=True, capture_output=True)
                except:
                    pass
            old_reminder["job_ids"] = []
Confidence
98% confidence
Finding
subprocess.run(f"openclaw cron delete {job_id}", shell=True, capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes Python scripts, reads and writes files under the workspace, and uses shell-capable tooling, but it declares no permissions. This creates a transparency and governance gap: the platform or user cannot accurately assess or constrain what the skill is allowed to do, which is especially relevant because it persists data and handles local files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description presents a local todo-management capability, but the documented behavior also stores session routing data and sends messages to external channels via OpenClaw, including creating cron-based outbound reminders. This mismatch can mislead users and reviewers about data flows and external side effects, increasing the risk of unintended message delivery, persistence of identifiers, and abuse of messaging/cron functionality.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill explicitly supports file attachment storage and deletion, which expands it from simple task management into filesystem manipulation. Any feature that copies and later deletes files based on task metadata increases the risk of unintended file access, path abuse, or destructive behavior if paths are not strictly validated and sandboxed.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill goes beyond local todo management by sending task content to external messaging channels and persisting session routing metadata. In a todo app, task titles, descriptions, tags, and project names often contain sensitive personal or business data, so this scope expansion materially increases privacy and exfiltration risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are overly broad and include common everyday terms like '任务' and '待办', making accidental invocation likely. Over-triggering can cause the assistant to enter a file-managing, stateful skill in contexts where the user did not intend todo operations, increasing the chance of unintended data exposure or modifications.

Vague Triggers

High
Confidence
96% confidence
Finding
The catch-all trigger '其他包含“待办”、“任务”、“todo”的请求' is excessively permissive and can activate this skill for many unrelated conversations. In a skill that stores data, manages reminders, and handles attachments, such ambiguity materially raises the risk of unintended side effects and privacy leakage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that deleting a task also deletes all its attachment files, but it does not emphasize confirmation, reversibility, or the scope of deletion. Destructive file operations tied to a routine todo command can lead to permanent data loss, especially if users do not realize attachments are affected.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The maintenance tool automatically deletes all old reminders before rebuilding them, yet the documentation does not prominently warn about the destructive reset behavior or possible reminder gaps. Administrative commands that remove scheduling state can disrupt user workflows and silently disable expected reminders if misused.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill can transmit complete task lists and status summaries to external channels without an obvious user-facing warning that local content is leaving the device. Since todo items commonly contain confidential plans, names, deadlines, and attachments references, silent outbound transmission creates meaningful privacy and data-leak risk.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The code stores channel and target metadata on disk without clearly informing the user. Although this is not as severe as sending task contents, persisted destination identifiers can still expose communication relationships and enable later unintended sends to a remembered recipient.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill directs the assistant to include attachment paths in reminders, exposing local filesystem locations in normal conversational output. File paths often reveal usernames, directory structures, project names, and other sensitive environmental details that are unnecessary for routine reminders.

Ssd 3

Medium
Confidence
97% confidence
Finding
The examples and rules explicitly show full filesystem paths for attachments, normalizing path disclosure as expected behavior. This unnecessarily leaks local environment details and can aid reconnaissance about user identity, storage layout, and sensitive project structure.

Ssd 3

Medium
Confidence
88% confidence
Finding
Prompting the assistant to ask whether to send attachments when discussing tasks encourages disclosure or transmission of user files as a default behavior. That increases the chance of accidental sharing of sensitive documents in contexts where the user only asked about task status, not file access or transfer.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# 创建项目
python3 todo.py project create "标签" "项目名称" [-d "描述"]

# 列出项目
python3 todo.py project list
Confidence
68% confidence
Finding
create "标签" "项目名称" [-d "描述"] # 列出项目 python3 todo.py project list # 查看项目 python3 todo.py project show "标签" ``` **输出**: ``` 📦 项目:RAG向量库学习 🏷️ 标签:RAG 📊 进度:2/5 任务完成 (40.0%) ``` --- ## 优先级 - `high` =

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.