← Back to Skills Marketplace
mbojer

Claw List

by Morten Bojer · GitHub ↗ · v2.1.0 · MIT-0
cross-platform ⚠ suspicious
334
Downloads
0
Stars
1
Active Installs
8
Versions
Install in OpenClaw
/install claw-list
Description
Manage todo lists in PostgreSQL. Per-agent lists, optional categories, priorities, due dates. Triggers: "todo", "add task", "mark done", "what's due", "my ta...
README (SKILL.md)

Claw-List

Manage todo lists via a central API. Trigger on: "the list", "show me the list", "todo", "add task", "add to my list", "mark done", "mark complete", "what's due", "my tasks", "create a list".

Config

Check env vars first: CLAW_LIST_AGENT_ID, CLAW_LIST_URL (set via openclaw.json skills.entries for multi-agent setups).

If env vars not set: read ~/.openclaw/skills/claw-list/claw-list.conf and extract AGENT_ID, DISPLAY_NAME, CLAW_LIST_URL, REGISTERED.

If conf file doesn't exist (first run):

  1. Generate UUID: cat /proc/sys/kernel/random/uuid — fallback: python3 -c 'import uuid; print(uuid.uuid4())'
  2. Ask user for DISPLAY_NAME and CLAW_LIST_URL (e.g. https://claw-list.internal/api or http://host:8100)
  3. Write conf file with those values and REGISTERED=false

If REGISTERED=false: call POST {CLAW_LIST_URL}/admin/agents with body {"agent_id":"{AGENT_ID}","display_name":"{DISPLAY_NAME}","scope":"own"} — no X-Agent-Id header. On 201 or 409 write REGISTERED=true to conf. On any other status: tell user the API is unreachable and stop.

API

All requests require header X-Agent-Id: {AGENT_ID}. Base URL from CLAW_LIST_URL.

Lists: GET /lists · POST /lists {"name":"..."} · DELETE /lists/{id}

Items: GET /lists/{id}/items · POST /lists/{id}/items · PUT /items/{id} · DELETE /items/{id}

Item fields: title (required on create), notes, priority (1–5), due_date, category, done.

Full reference: ~/.openclaw/skills/claw-list/docs/api.md

Behaviour

  • Re-read conf at the start of every session — never assume values from a previous session.
  • Present results cleanly; never expose AGENT_ID or raw JSON to the user.
  • Store conversation context in notes when the user says "put that in the notes".
  • On 403: tell the user they don't have permission, don't retry.
Usage Guidance
Before installing or enabling this skill: - Understand where CLAW_LIST_URL points. The skill will send conversation text to that URL (it stores 'conversation context' in the remote item's notes). Only use a CLAW_LIST_URL you control and trust (prefer an internal host on a private network or deploy the provided server locally). - The bundled server currently advertises no authentication for admin endpoints and documents 'no auth' as a known gap — if you deploy it, do so behind an authenticated reverse proxy or on an isolated network. - If you do not want any conversation content sent off the agent host, do not enable the feature that saves notes, or do not use this skill. - Consider limiting autonomous invocation for this skill (require explicit user invocation) while you audit and test it, and review the server code (server/api/main.py) if you plan to host the backend. - If unsure, deploy the server in a safe sandbox, exercise the endpoints, and verify that agent data is stored only where you expect before using it with real conversations.
Capability Analysis
Type: OpenClaw Skill Name: claw-list Version: 2.1.0 The Claw-List skill bundle is a well-documented, self-hosted task management system. It features a FastAPI backend (main.py) using SQLAlchemy ORM to prevent SQL injection, a vanilla JS frontend with HTML escaping (index.html), and clear instructions for the OpenClaw agent (SKILL.md). The system implements a scope-based access control model (own vs. all) and follows a transparent self-registration process for agents. No evidence of malicious intent, data exfiltration, or unauthorized command execution was found.
Capability Tags
crypto
Capability Assessment
Purpose & Capability
Name/description (todo lists backed by Postgres via a central API) matches the included API docs and server code. Minor mismatch: SKILL.md and overview sometimes present the skill as an 'instruction-only' skill, yet a full server/stack is bundled in the repo — this is explained in docs (server/ included for self-hosting) but the registry metadata declared 'No install spec' which may mislead users about the presence of runnable server code.
Instruction Scope
SKILL.md instructs the agent to store 'conversation context' in the items.notes field when the user requests 'put that in the notes'. That means agent text (potentially sensitive) is intentionally transmitted to and persisted on an external HTTP service. The runtime steps also include writing a local conf and self-registering with POST /admin/agents. Reading/writing the conf in the skill directory is scoped, but the explicit remote storage of conversation text is a notable scope expansion from a simple local todo helper.
Install Mechanism
No install spec is provided and the skill runs via instructions / existing binaries on the agent; nothing is automatically downloaded or executed on install. The repository does include server code and Docker Compose for self-hosting, but those are optional manual deployment artifacts (not auto-installed by the agent).
Credentials
The agent-side skill requests no credentials (CLAW_LIST_URL and optional CLAW_LIST_AGENT_ID are provided by the user or openclaw.json). However, the skill's documented behaviour of storing conversation context remotely is disproportionate for a 'todo list' helper unless the user explicitly accepts remote persistence. Additionally, the bundled server's admin endpoints are documented as unauthenticated (no X-Agent-Id required) and the README notes 'Auth — no authentication currently' as a known gap; if the server is exposed to an untrusted network this becomes a significant risk to confidentiality and integrity of agent data.
Persistence & Privilege
The skill does not request 'always: true' and allows normal model invocation. Autonomous invocation (default) combined with the explicit instruction to persist conversation context remotely increases blast radius if the agent is allowed to run actions without user oversight. There is no indication the skill modifies other skills or system-wide configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install claw-list
  3. After installation, invoke the skill by name or use /claw-list
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
- Added an overview documentation file at docs/overview.md. - Improves user and developer guidance with dedicated overview content.
v2.0.0
**Major upgrade: Migrated from PostgreSQL CLI to API-based list management.** - Replaced direct PostgreSQL and CLI operations with central API-based management - Added config and registration flow via env, conf file, and automatic agent registration with the API - Refactored all list and item commands to use HTTP endpoints (`/lists`, `/items`) - Updated documentation; removed old CLI/scripts and outdated reference files - Added a lightweight web UI, server, tests, and deployment docs - New API-based fields: notes, priority (1–5), due_date, categories, and done status
v1.2.3
Version 1.2.3 - Updated _meta.json with no changes to core functionality or documentation. - No user-facing changes; content and commands remain the same.
v1.2.2
ClawList 1.2.2 - Added explicit documentation of required environment variables for PostgreSQL connection in SKILL.md. - Clarified cross-agent access: all data is visible across agents sharing a database (no isolation). - Docs now warn that the `migrate --action import-delete` command will permanently delete source files after importing. - Minor improvements to documentation for database access logging.
v1.2.1
ClawList v1.2.1 - Minor documentation and reference updates. - No breaking changes or new features. - Internal files and CLI documentation refreshed for clarity.
v1.2.0
Added --all-agents flag to list todos across agents grouped by owner. Added transfer command to move todos between agents. Owner agent field added to JSON output.
v1.1.0
Security: added .clawhubignore for .env, path validation in migrate. Reliability: 3-attempt retry with backoff, connection timeout, SSL option. Error handling: stderr for all errors, fixed silent swallow in SysClaw reporting. Fixed double-close bug in edit command. Added prerequisites docs and CHANGELOG.
v1.0.0
Initial release: PostgreSQL-backed todo lists with per-agent ownership, optional categories, priorities, due dates, archive, cross-agent access, migration from existing task files, and compact/JSON output modes
Metadata
Slug claw-list
Version 2.1.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 8
Frequently Asked Questions

What is Claw List?

Manage todo lists in PostgreSQL. Per-agent lists, optional categories, priorities, due dates. Triggers: "todo", "add task", "mark done", "what's due", "my ta... It is an AI Agent Skill for Claude Code / OpenClaw, with 334 downloads so far.

How do I install Claw List?

Run "/install claw-list" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Claw List free?

Yes, Claw List is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Claw List support?

Claw List is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Claw List?

It is built and maintained by Morten Bojer (@mbojer); the current version is v2.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments