← Back to Skills Marketplace
445
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install todo-tracker-safe
Description
Secure TODO tracker with input validation and safe file operations. Use for task management across sessions.
Usage Guidance
This script is a local, file-based TODO manager and appears to do only safe, text-file operations. Before installing: ensure you are comfortable the default path (~/.openclaw/workspace/TODO.md) is acceptable (or set TODO_FILE), create the containing directory with correct permissions so the script can initialize the file, and be aware the agent may autonomously show the summary (heartbeat) which will read that file. If you want to be extra cautious, review the included scripts/todo.sh yourself — it contains the full implementation and no network/calls to external services were found.
Capability Analysis
Type: OpenClaw Skill
Name: todo-tracker-safe
Version: 1.0.1
The skill bundle provides a secure TODO tracking utility with robust security practices. The `scripts/todo.sh` script implements input sanitization, strict shell modes (`set -euo pipefail`), and avoids command injection by using `awk -v` for variable passing and `grep -F` for fixed-string matching. It also includes file permission checks to ensure the data file is not world-writable. No evidence of data exfiltration, network activity, or malicious intent was found.
Capability Assessment
Purpose & Capability
Name/description (local TODO tracker) align with what is present: a bash script that reads/writes a TODO.md and uses bash/grep/awk/sed. No unrelated credentials, binaries, or network access are requested.
Instruction Scope
SKILL.md and the script limit actions to local file operations, listing, adding, marking done, and summarizing tasks. The README and SKILL.md claim no env vars except TODO_FILE, but the script also reads HOME to build a default path (normal for local tools). The skill states it may display a summary on heartbeat — that implies autonomous invocation may cause periodic reads of the TODO file, which is consistent with the stated behavior.
Install Mechanism
No install spec; instruction-only with an included script. Nothing is downloaded or written by an installer, so there is no remote install risk.
Credentials
No required environment variables are declared. The script optionally respects TODO_FILE (reasonable). It also uses HOME implicitly to compute the default path — this is typical for a local file-based tool but is a minor mismatch with the SKILL.md phrasing that claimed 'no env var reading except TODO_FILE.'
Persistence & Privilege
always:false and no modifications to other skills or global agent configs. The script writes only to the user-specified (or default) TODO file; it requires an existing writable directory to create the file and will error otherwise.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install todo-tracker-safe - After installation, invoke the skill by name or use
/todo-tracker-safe - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
修复权限检查逻辑
v1.0.0
安全加固版本:输入验证、固定字符串匹配、文件权限检查、无动态执行
Metadata
Frequently Asked Questions
What is TODO Tracker (Safe)?
Secure TODO tracker with input validation and safe file operations. Use for task management across sessions. It is an AI Agent Skill for Claude Code / OpenClaw, with 445 downloads so far.
How do I install TODO Tracker (Safe)?
Run "/install todo-tracker-safe" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is TODO Tracker (Safe) free?
Yes, TODO Tracker (Safe) is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does TODO Tracker (Safe) support?
TODO Tracker (Safe) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created TODO Tracker (Safe)?
It is built and maintained by Alex Chen (@gothicfox); the current version is v1.0.1.
More Skills