Skillv1.3.0

ClawScan security

Todo List 待办事项管理 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 22, 2026, 5:47 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement the described todo/ reminders functionality and asks for no external credentials, but the shipped code contains at least one unsafe shell invocation and some inconsistencies between the documentation and code that warrant caution before installing.
Guidance: This skill is functionally coherent for a local todo/reminder system using the OpenClaw CLI, but exercise caution before installing. What to check or do before installing: - Inspect and fix the shell deletion call: replace subprocess.run(f"openclaw cron delete {old_job_id}", shell=True, ...) with an args list (e.g. ['openclaw','cron','delete', old_job_id]) or otherwise sanitize/validate job IDs to remove command injection risk. - Review the implementation of attachment handling (add_attachment) to ensure it enforces the claimed path restrictions, prevents directory traversal and symlink TOCTOU attacks, enforces the 50MB limit, and sets safe permissions on copied files. - Ensure the memory directory (~/.openclaw/workspace/memory/) and session config files are accessible only by the intended user (restrict filesystem permissions) because reminders and job IDs are stored there and could be tampered with by other local users. - Be aware that the skill will create cron jobs via OpenClaw and send messages to configured channels/targets — verify your OpenClaw configuration and channel target are trusted before enabling reminders. - If you do not trust the skill owner/source, consider running the scripts in a restricted environment (container or dedicated account) or request a code revision that removes shell=True usage and provides audited attachment code. Confidence note: the assessment is based on the included SKILL.md and the provided Python sources; the todo.py file was large and partially truncated in the listing, so also review the remainder of that file (especially add_attachment and any other subprocess usage) for additional issues.
Findings: [subprocess-shell-true] unexpected: scripts/todo.py contains a call using subprocess.run(..., shell=True) when deleting old cron jobs: subprocess.run(f"openclaw cron delete {old_job_id}", shell=True, ...). Calling shell=True with unsanitized string input is a command-injection risk. The PUBLISH_CHECKLIST claims shell=True was removed, but the code still contains at least this instance — an inconsistency that increases risk.

Review Dimensions

Purpose & Capability: okName/description, the CLI scripts, and the SKILL.md are consistent: the package implements a local Python-based todo system, stores data under ~/.openclaw/workspace/memory/, supports attachments and uses the OpenClaw CLI to create cron reminders. The requested dependencies (python3 and OpenClaw CLI) match the stated purpose and there are no unexpected external credentials or unrelated binaries required.
Instruction Scope: noteRuntime instructions require the agent to read/write session and data files under ~/.openclaw/workspace/memory/ (todo.json, session config, reminders, attachments). That matches the feature set, but it does mean the skill will read local files and persist configuration and reminders. The SKILL.md requires the agent to extract channel and target from the conversation context and pass them to scripts — this is expected but grants the skill the ability to send messages via OpenClaw into configured channels. The instructions also direct the agent to only output certain tokens (e.g. NO_REPLY) when scripts are used, which is an operational constraint but not a security issue by itself.
Install Mechanism: okNo external install/download step is declared (instruction-only with included Python scripts). No remote URLs or package installs are used. The code is bundled in the skill, so there is no network fetch at install time — lowest risk from installers.
Credentials: okThe skill does not request environment variables or external credentials. Its need to access files under the user's home (~/.openclaw/workspace/memory/) and to call the OpenClaw CLI is proportional to a todo/reminder skill that integrates with OpenClaw cron and channel messaging.
Persistence & Privilege: noteThe skill persists its own data and session configuration under ~/.openclaw/workspace/memory/ and creates cron jobs via the OpenClaw CLI. It is not marked always:true and does not claim to modify other skills. Creating cron entries and writing to the user-owned memory directory are expected for reminders, but these are persistent actions the user should be aware of (cron jobs will cause future outbound messages to channels configured in session).