← Back to Skills Marketplace
797
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install todo-boss
Description
Capture and track tasks with owner and due date, mark done, list open or delegated tasks, and get daily reports via Telegram commands.
Usage Guidance
This skill is incomplete and has some fragile and privacy-sensitive behavior. Before installing or using it, consider: (1) It only provides add_task.sh—commands mentioned in SKILL.md (listing, marking done, reports) are missing. Expect limited functionality unless you add more scripts. (2) The script looks for 'owner:' and 'due:' in English but the SKILL.md follow-up prompts are Korean, so extraction may fail; test inputs to confirm behavior. (3) The script writes the entire raw user text to a plain JSONL file in ~/.openclaw/workspace/data/todo — do not send secrets or private data through it. (4) The embedded Python heredoc interpolates shell variables without escaping; inputs containing quotes, backslashes, or newlines can break the script and corrupt the log. Consider fixing the script to safely escape or pass data to Python (e.g., use python -c with json.dumps of arguments or read from stdin), and implement missing features (list, done, report) before relying on it. If you cannot review/modify the script, run it in a controlled/test environment and avoid sending sensitive content.
Capability Analysis
Type: OpenClaw Skill
Name: todo-boss
Version: 0.1.0
The skill is highly suspicious due to a critical Remote Code Execution (RCE) vulnerability in `add_task.sh`. User-controlled input (TEXT, TITLE, OWNER, DUE) is directly interpolated into a Python here-document without proper sanitization, allowing an attacker to inject and execute arbitrary Python code. This flaw, while not explicitly malicious in its current form, provides a clear pathway for an attacker to achieve data exfiltration, persistence, or other harmful actions.
Capability Assessment
Purpose & Capability
The stated purpose (task capture, delegation, daily reports via Telegram) is consistent with a local append-only log approach. However the repository only contains add_task.sh while SKILL.md documents many commands (/todo_done, /todo_list, /todo_delegated, /todo_report) and a derived cache; those other commands and listing/mark-done logic are missing, so the package is incomplete relative to its claimed functionality.
Instruction Scope
SKILL.md instructs the agent to call the provided add_task.sh and to ask follow-ups when owner/due are missing. The script itself only appends a JSONL event with the raw user text and does simple pattern parsing for 'owner:' and 'due:'. Concerns: (1) the SKILL.md's follow-up policy and Korean prompts contrast with the script's English 'owner:'/'due:' parsing—mismatch may break extraction; (2) the script stores the full raw text (potentially sensitive) without warning or redaction; (3) the inline Python heredoc interpolates shell variables directly into Python source without escaping, so user input containing quotes, newlines, or special characters can break the Python snippet and corrupt the log or cause the script to fail; (4) there is no code here to finalize drafts, update events, list tasks, or mark tasks done despite SKILL.md promising those features.
Install Mechanism
Instruction-only plus a shell script means nothing is downloaded or installed. The script requires standard system tools (bash, sed, date, python3) but there is no install‑time network activity or unusual installers.
Credentials
No secrets or external credentials are requested, which is appropriate. The script reads $HOME and writes under ~/.openclaw/workspace/data/todo—this is expected for a local task log, but users should know data is stored in plain text under their home directory and could be read by other local processes or backed up to cloud storage.
Persistence & Privilege
always:false and no special agent-wide modifications. The script writes files under the user's home, which is consistent with a local task tracker. It does not attempt to modify other skills or system settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install todo-boss - After installation, invoke the skill by name or use
/todo-boss - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Version 0.1.0 of todo-boss
- Initial release of Telegram-based task capture and delegation tracker.
- Supports basic commands: /todo, /todo_done, /todo_list, /todo_delegated, /todo_report.
- Extracts owner and due date from free text; prompts user if missing.
- All task events are logged append-only; strict follow-up and no external web/API access.
- Designed for concise, action-focused interaction in Korean enterprise environments.
v1.0.0
Initial public release of todo-boss.
- Allows Telegram users to capture, delegate, and track tasks with daily reporting.
- Robust extraction rules: always ask for task owner and due date if missing, with Korean prompts.
- All task actions append to an append-only JSONL log for history and traceability.
- Strictly no web/API usage or open-ended context; focused only on task tracking.
- Short, action-oriented Telegram replies; auto-confirm task creation or status changes.
Metadata
Frequently Asked Questions
What is Todo Boss?
Capture and track tasks with owner and due date, mark done, list open or delegated tasks, and get daily reports via Telegram commands. It is an AI Agent Skill for Claude Code / OpenClaw, with 797 downloads so far.
How do I install Todo Boss?
Run "/install todo-boss" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Todo Boss free?
Yes, Todo Boss is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Todo Boss support?
Todo Boss is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Todo Boss?
It is built and maintained by ukraecho (@ukraecho); the current version is v0.1.0.
More Skills