← Back to Skills Marketplace
677
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install todolist-md-clawdbot-copy
Description
Read, summarize, propose edits, and write back changes to Markdown todo files using line-stable bot markers without altering task identity or completing tasks.
Usage Guidance
This skill contains functioning Drive integration code but the package metadata claims no required credentials or config paths — that mismatch is a red flag. Before installing or running: 1) Inspect and confirm you trust the code; it's safe-looking but will store OAuth refresh tokens and read secret env files by default under /root/clawd/.secrets. 2) Do not run it on a machine with sensitive root secrets; prefer an isolated container or VM. 3) Supply the minimal credential possible (short-lived ACCESS_TOKEN) instead of giving CLIENT_ID/CLIENT_SECRET/REFRESH_TOKEN if you can. 4) If you must use managed OAuth, change the default refresh token path to a directory you control and ensure file permissions are restrictive. 5) Be aware the scripts call sudo and expect a gog CLI — verify the gog binary path and that using sudo -u ubuntu is acceptable in your environment. 6) Ask the skill author to update registry metadata to list required env vars/config paths and to document exactly where tokens are written and how to opt out of persistent storage. If you cannot confirm these fixes, treat the skill as risky and run only in an isolated environment.
Capability Analysis
Type: OpenClaw Skill
Name:
Developer:
Version:
Description: OpenClaw Agent Skill
The skill bundle is classified as suspicious due to the explicit use of `sudo -u ubuntu -H env ... gog ...` for external command execution in `scripts/todolist_drive_folder_agent.mjs` and `scripts/todolist_review_drive.py`. While this capability is presented as necessary for interacting with Google Drive via the `gog` CLI, it grants the AI agent the ability to execute arbitrary commands as the `ubuntu` user. This creates a significant Remote Code Execution (RCE) vulnerability, as a malicious prompt could potentially trick the agent into constructing and executing harmful commands, even if the arguments are passed as an array to `execFileSync`/`subprocess.check_output`. This high-risk capability, despite the benign stated purpose, elevates the classification to suspicious rather than benign.
Capability Assessment
Purpose & Capability
The skill's stated purpose (read/update Markdown todo files) matches the included scripts: they implement a Google Drive-backed workflow (list, download, update files, revision gating). However the registry metadata declared no required env vars/config paths, which is incorrect: the scripts clearly require Drive auth (ACCESS_TOKEN or CLIENT_ID/CLIENT_SECRET/REFRESH_TOKEN) and a gog CLI for folder listing. The absence of declared credentials/config requirements is an incoherence.
Instruction Scope
SKILL.md stays mostly on-scope (detect changed files, extract open tasks, write bot-markers). But the runtime scripts go further: they read/write local secret files (default path /root/clawd/.secrets/todolist_drive_oauth.json and /root/clawd/.secrets/gog.env), run system commands via sudo to call a gog CLI, and expect env vars like CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, ACCESS_TOKEN, GOG_ACCOUNT, GOG_KEYRING_PASSWORD. Those filesystem and sudo accesses are not documented in the registry requirements and expand the agent's runtime scope beyond what's advertised.
Install Mechanism
No install spec (instruction-only) — that's low risk from an installer perspective. There are no downloads from arbitrary URLs. However the included scripts will invoke local binaries (gog and sudo) and call external OAuth/Drive endpoints. The scripts rely on existing host tooling and will execute child processes (execFileSync / subprocess), which is expected for Drive integration but should be noted as an execution-time requirement.
Credentials
Registry lists no required environment variables or config paths, but the code expects and/or uses many secrets and paths: ACCESS_TOKEN, CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, AUTH_CODE, REFRESH_TOKEN_FILE (default /root/clawd/.secrets/...), GOG_ACCOUNT, GOG_KEYRING_PASSWORD, GOG_BIN, and a gog.env file at /root/clawd/.secrets/gog.env. Asking for or writing persistent refresh tokens into /root is a privileged, persistent capability and is not proportionate to the registry's empty env declaration.
Persistence & Privilege
The skill does not set always:true (good), but it does persist long-lived credentials: managed-OAuth path writes a refresh_token JSON file by default to /root/clawd/.secrets/todolist_drive_oauth.json and reads a gog.env secret file from /root/clawd/.secrets. The code also invokes sudo -u ubuntu to run gog. These behaviors create persistent credentials on the host and require elevated/local access patterns that increase blast radius; they should be documented and restricted.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install todolist-md-clawdbot-copy - After installation, invoke the skill by name or use
/todolist-md-clawdbot-copy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of todolist-md-clawdbot.
- Enables reading, summarizing, and editing Markdown todo files using stable bot comment markers (`<!-- bot: ... -->`).
- Ensures task identities persist by only making line-stable edits.
- Integrates with multiple storage backends (Google Drive, local folder, S3) and supports per-file enablement.
- Only reviews files that have changed and writes back outcomes without marking tasks complete without user confirmation.
- Provides helper scripts for Google Drive integration to automate detection and processing.
- Introduces dedicated bot-comment sections for suggested tasks, summaries, and in-file Q&A.
Metadata
Frequently Asked Questions
What is Todolist Md Clawdbot Copy?
Read, summarize, propose edits, and write back changes to Markdown todo files using line-stable bot markers without altering task identity or completing tasks. It is an AI Agent Skill for Claude Code / OpenClaw, with 677 downloads so far.
How do I install Todolist Md Clawdbot Copy?
Run "/install todolist-md-clawdbot-copy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Todolist Md Clawdbot Copy free?
Yes, Todolist Md Clawdbot Copy is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Todolist Md Clawdbot Copy support?
Todolist Md Clawdbot Copy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Todolist Md Clawdbot Copy?
It is built and maintained by NitsujY (@nitsujy); the current version is v1.0.0.
More Skills