← Back to Skills Marketplace
327
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install todo-webapp
Description
Deploy a local TODO web app that reads and writes a Markdown TODO.md file. Serves a beautiful dark-themed, glassmorphism UI on the LAN (no HTTPS needed). Fea...
Usage Guidance
This skill appears to do exactly what it says: run a local Node.js server that reads/writes TODO.md and archives completed items. Before installing: 1) Inspect server.js yourself (it modifies TODO.md and appends to TODO-done.md). 2) Place the script where you intend and ensure TODO.md is the correct file (it uses the parent directory of server.js). 3) Be aware it serves plain HTTP on your LAN without authentication—anyone on your local network who can reach your host:3456 can view and toggle tasks. Don't install on a machine with sensitive TODO.md contents or on an untrusted network. 4) When following the launchd steps, open the plist file and verify the node and server.js paths and the run arguments before running launchctl load; if you prefer not to auto-start, skip the launchd step. 5) Consider firewall rules or binding to localhost if you want to restrict access. If you want additional assurance, run the server inside a restricted account/container or change file permissions so only an intended user can edit TODO.md.
Capability Analysis
Type: OpenClaw Skill
Name: todo-webapp
Version: 1.0.1
The skill deploys a Node.js web server (scripts/server.js) that manages local Markdown files and establishes persistence via a macOS launchd agent. While the functionality matches the description, the server contains a Stored XSS vulnerability because it renders TODO item text directly into the HTML without sanitization. Furthermore, the server listens on all network interfaces (0.0.0.0) without authentication or CSRF protection, potentially allowing any device on the local network to read or modify the user's TODO files.
Capability Assessment
Purpose & Capability
The name/description (local TODO web app) aligns with the provided server.js and SKILL.md. The script reads/writes TODO.md and TODO-done.md, serves UI over HTTP on port 3456, and includes archive/toggle behavior described in the README. The launchd autostart instruction matches the claimed auto-start behavior.
Instruction Scope
Instructions are scoped to installing the script, adding an optional bg.jpg, and registering a macOS launchd agent. They direct reading/writing of TODO.md and TODO-done.md (explicitly one directory up from server.js). Note: the instructions modify user launch agents (persistent startup) and assume macOS; there is no guidance for other OSes. The app exposes an unauthenticated HTTP endpoint on the LAN and will accept toggle/archive actions from any LAN client—this is expected but a material security consideration.
Install Mechanism
No install spec or external downloads are present; the skill is instruction-only plus a bundled server.js file. Nothing is pulled from remote URLs or extracted to disk by an installer. The only persistent installation step is the user copying a plist into ~/Library/LaunchAgents and loading it.
Credentials
No environment variables, credentials, or external service tokens are requested. The script works with local filesystem files only (TODO.md, TODO-done.md, optional bg.jpg). Those file accesses are consistent with the described functionality.
Persistence & Privilege
The skill does not set always:true and requires manual user action to install. However, the provided instructions ask the user to create/load a launchd agent, which grants persistent autostart on macOS. This persistence is proportional to the stated goal (auto-start), but users should review the plist and confirm paths/permissions before loading.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install todo-webapp - After installation, invoke the skill by name or use
/todo-webapp - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Add preview screenshot
v1.0.0
Initial release: live TODO web app with SSE auto-refresh, click-to-toggle, and Archive Done button
Metadata
Frequently Asked Questions
What is TODO Web App?
Deploy a local TODO web app that reads and writes a Markdown TODO.md file. Serves a beautiful dark-themed, glassmorphism UI on the LAN (no HTTPS needed). Fea... It is an AI Agent Skill for Claude Code / OpenClaw, with 327 downloads so far.
How do I install TODO Web App?
Run "/install todo-webapp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is TODO Web App free?
Yes, TODO Web App is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does TODO Web App support?
TODO Web App is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created TODO Web App?
It is built and maintained by jwhowa (@jwhowa); the current version is v1.0.1.
More Skills