Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Todo List 待办事项管理
v1.3.0待办事项管理技能,支持添加、查看、完成、删除待办事项,支持到期提醒、标签系统、项目管理、附件功能。触发条件:(1) 用户提到待办、Todo、任务管理、待办列表、todolist (2) 需要添加、查看、完成、删除待办事项 (3) 设置任务提醒 (4) 标签管理 (5) 项目管理 (6) 用户直接输入"todo"或...
⭐ 0· 308·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, the CLI scripts, and the SKILL.md are consistent: the package implements a local Python-based todo system, stores data under ~/.openclaw/workspace/memory/, supports attachments and uses the OpenClaw CLI to create cron reminders. The requested dependencies (python3 and OpenClaw CLI) match the stated purpose and there are no unexpected external credentials or unrelated binaries required.
Instruction Scope
Runtime instructions require the agent to read/write session and data files under ~/.openclaw/workspace/memory/ (todo.json, session config, reminders, attachments). That matches the feature set, but it does mean the skill will read local files and persist configuration and reminders. The SKILL.md requires the agent to extract channel and target from the conversation context and pass them to scripts — this is expected but grants the skill the ability to send messages via OpenClaw into configured channels. The instructions also direct the agent to only output certain tokens (e.g. NO_REPLY) when scripts are used, which is an operational constraint but not a security issue by itself.
Install Mechanism
No external install/download step is declared (instruction-only with included Python scripts). No remote URLs or package installs are used. The code is bundled in the skill, so there is no network fetch at install time — lowest risk from installers.
Credentials
The skill does not request environment variables or external credentials. Its need to access files under the user's home (~/.openclaw/workspace/memory/) and to call the OpenClaw CLI is proportional to a todo/reminder skill that integrates with OpenClaw cron and channel messaging.
Persistence & Privilege
The skill persists its own data and session configuration under ~/.openclaw/workspace/memory/ and creates cron jobs via the OpenClaw CLI. It is not marked always:true and does not claim to modify other skills. Creating cron entries and writing to the user-owned memory directory are expected for reminders, but these are persistent actions the user should be aware of (cron jobs will cause future outbound messages to channels configured in session).
Scan Findings in Context
[subprocess-shell-true] unexpected: scripts/todo.py contains a call using subprocess.run(..., shell=True) when deleting old cron jobs: subprocess.run(f"openclaw cron delete {old_job_id}", shell=True, ...). Calling shell=True with unsanitized string input is a command-injection risk. The PUBLISH_CHECKLIST claims shell=True was removed, but the code still contains at least this instance — an inconsistency that increases risk.
What to consider before installing
This skill is functionally coherent for a local todo/reminder system using the OpenClaw CLI, but exercise caution before installing.
What to check or do before installing:
- Inspect and fix the shell deletion call: replace subprocess.run(f"openclaw cron delete {old_job_id}", shell=True, ...) with an args list (e.g. ['openclaw','cron','delete', old_job_id]) or otherwise sanitize/validate job IDs to remove command injection risk.
- Review the implementation of attachment handling (add_attachment) to ensure it enforces the claimed path restrictions, prevents directory traversal and symlink TOCTOU attacks, enforces the 50MB limit, and sets safe permissions on copied files.
- Ensure the memory directory (~/.openclaw/workspace/memory/) and session config files are accessible only by the intended user (restrict filesystem permissions) because reminders and job IDs are stored there and could be tampered with by other local users.
- Be aware that the skill will create cron jobs via OpenClaw and send messages to configured channels/targets — verify your OpenClaw configuration and channel target are trusted before enabling reminders.
- If you do not trust the skill owner/source, consider running the scripts in a restricted environment (container or dedicated account) or request a code revision that removes shell=True usage and provides audited attachment code.
Confidence note: the assessment is based on the included SKILL.md and the provided Python sources; the todo.py file was large and partially truncated in the listing, so also review the remainder of that file (especially add_attachment and any other subprocess usage) for additional issues.Like a lobster shell, security has layers — review code before you run it.
latestvk973ejeyvs5h4amxagx533h61183ctfy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.