← Back to Skills Marketplace
yf-memo
by
Yi-Fan Song
· GitHub ↗
· v1.0.0
· MIT-0
226
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install yf-memo
Description
Personal memo and todo management system. Use when user expresses intent related to remembering, tracking, or managing tasks.
Usage Guidance
This skill appears to be what it claims (a local memo/todo system) but has several implementation issues you should review before installing: 1) The hook and some docs reference template filenames (template-todo.md, template-done.md, assets names) that don't match the provided asset filenames (template-pending.md, template-completed.md) — running the hook as-is may fail or behave unexpectedly. 2) Several scripts and examples use sed -i '' (BSD/macOS syntax) which will break on many Linux systems; expect portability bugs. 3) The skill suggests editing ~/.bashrc, creating symlinks in ~/.local/bin, and adding cron jobs — these change your environment and should only be performed with your explicit consent after reading the hook/install commands. 4) The documentation contains both a directive to avoid hard-coded phrase-action mappings and an implementation doc that lists many exact regex patterns, which is an internal inconsistency (affects how the assistant may parse user text). Recommended actions: review the hook and scripts line-by-line (especially any cp, sed, or echo >> ~/.bashrc operations); run in a controlled environment (or sandbox) first; backup ~/.openclaw/workspace files before running hooks; and request corrected hook/assets from the author (or fix template names and sed compatibility) before enabling automatic setup or cron tasks.
Capability Analysis
Type: OpenClaw Skill
Name: yf-memo
Version: 1.0.0
The skill implements a functional personal memo system but contains significant shell injection vulnerabilities. The `memo-helper.sh` script uses unsanitized user input directly within `sed` commands and shell arguments, which could be exploited to execute arbitrary commands if a user provides a crafted task description (e.g., containing backticks or semicolons). While the behavior appears aligned with the stated purpose of task management and no clear evidence of intentional malice or data exfiltration was found, the high-risk execution patterns in `SKILL.md` and `implementation.md` warrant a suspicious classification.
Capability Assessment
Purpose & Capability
The skill is a local memo/todo manager and the scripts operate on ~/.openclaw/workspace/pending-items.md and completed-items.md which is coherent with the description. Required binary is only bash, which makes sense.
Instruction Scope
The SKILL.md instructs the agent to locate and execute local scripts and to read/write workspace markdown files — appropriate for a memo skill — but there are contradictory implementation notes: SKILL.md says "DO NOT" hard-code phrase→action mappings while references/implementation.md includes many exact regex patterns and parsing logic. The skill also suggests editing shell profiles and creating cron jobs (hooks/openclaw/HOOK.md and path-resolution examples), which broaden the scope to modifying user environment.
Install Mechanism
There is no remote download or installer (manual copy of directory is expected), which reduces supply-chain risk. However the included hook and path-resolution docs propose copying files, creating symlinks, and adding lines to shell profiles/crontab — all manual steps the user must review before running.
Credentials
The skill does not request credentials or env vars, which is appropriate. Still, documentation contains snippets that would append exports to ~/.bashrc, set up cron jobs, and copy files into the user's home; these are environment changes not strictly required just to store local todos and should be explicitly approved by the user. The hook also references template filenames that don't exist in the asset list (see detail), which could lead to unexpected behavior when run.
Persistence & Privilege
always is false and model invocation defaults are normal. The hook offers an optional auto-setup that can create files and optionally add a daily cron job — this gives the skill persistent scheduled execution if a user accepts the hook/cron, so the user should confirm before enabling. The skill does not request elevated system privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yf-memo - After installation, invoke the skill by name or use
/yf-memo - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
yf-memo 1.0.0
- Initial release of personal memo and todo management skill for OpenClaw.
- Supports intent-based task tracking, completion, and review through natural conversation.
- Handles addition, completion, status inquiry, and accomplishment review of tasks.
- Flexible language support (Chinese and English); prioritizes user intent over fixed commands.
- Installation and script usage instructions provided, including dynamic path handling.
Metadata
Frequently Asked Questions
What is yf-memo?
Personal memo and todo management system. Use when user expresses intent related to remembering, tracking, or managing tasks. It is an AI Agent Skill for Claude Code / OpenClaw, with 226 downloads so far.
How do I install yf-memo?
Run "/install yf-memo" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is yf-memo free?
Yes, yf-memo is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does yf-memo support?
yf-memo is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).
Who created yf-memo?
It is built and maintained by Yi-Fan Song (@yfsong0709); the current version is v1.0.0.
More Skills