← Back to Skills Marketplace

Telegram Todo List

Name: Telegram Todo List
Author: hengbo12345

by BugIt · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

920

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install telegram-todolist

Description

Manage your TODO.md todo list via Telegram with commands to query, organize (add/edit/delete/move), and execute (complete) tasks.

Usage Guidance

This skill is internally inconsistent rather than obviously malicious: it claims to be a Telegram bot but contains only a local TODO.md manager and several buggy implementations (task numbering, delete, and timestamp handling). Before installing or enabling it for autonomous use, consider: 1) Do you need actual Telegram integration? If so, request or add secure Telegram API code and credentials handling. 2) Backup any existing /root/.openclaw/workspace/TODO.md — the skill will create/overwrite that file. 3) Review and test the script in a sandboxed environment (non-production workspace) to confirm behavior and fix bugs (marking complete, deleting, numbering, timestamps). 4) Ask the author to clarify purpose and provide a README or remove 'Telegram' from the name if it is only a helper library. Because of these mismatches and implementation issues, treat this skill cautiously and do not enable it with sensitive data or broad autonomous access until corrected.

Capability Analysis

Type: OpenClaw Skill Name: telegram-todolist Version: 1.0.1 The skill is classified as suspicious due to a prompt injection vulnerability. The `add_task` function in `scripts/todolist.py` allows user-provided input (`main_task`, `subtasks`) to be written directly into the `TODO.md` file without sanitization. Since `TODO.md` is a markdown file located in the agent's workspace (`/root/.openclaw/workspace/TODO.md`), an attacker could inject malicious markdown instructions into the todo list. If the OpenClaw agent later re-reads and interprets the content of `TODO.md` as instructions, this could lead to prompt injection, allowing an attacker to manipulate the agent's behavior beyond the skill's intended purpose.

Capability Assessment

⚠ Purpose & Capability

Name and SKILL.md describe a Telegram bot with /todo commands, but the included Python script has no network/Telegram API code, no webhook/long-polling, and requests no Telegram credentials. The script only reads/writes a local TODO.md in the agent workspace, so the 'Telegram' aspect is missing or misleading.

⚠ Instruction Scope

SKILL.md instructs the agent to support query/organize/execute semantics (including timestamp updates, moving tasks between sections, and accurate numbering). The implementation reads/writes TODO.md and formats output, but many behaviors described are not implemented or are implemented incorrectly (e.g., timestamp updates on completion are not added, task-number → line mapping logic is flawed, delete_task logic is incorrect). Instructions do not direct reading of unrelated files or external endpoints, but they claim capabilities the code does not provide.

✓ Install Mechanism

No install spec — instruction-only + a single script. Nothing is downloaded or written by an installer. This is the lowest install risk.

ℹ Credentials

No environment variables or credentials are requested (appropriate for a local file-based todo manager). The script uses a hardcoded workspace path (/root/.openclaw/workspace/TODO.md) which matches SKILL.md; this grants access only to the agent workspace but should be noted (it will create/overwrite that file).

✓ Persistence & Privilege

The skill is not marked always:true and does not request elevated privileges or modify other skills. It writes a TODO.md template into the workspace on missing-file errors — expected for this purpose.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install telegram-todolist
After installation, invoke the skill by name or use /telegram-todolist
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

- Updated skill and command descriptions for greater clarity and brevity. - Improved summary and keywords in the skill description for better discoverability. - No changes to commands, features, or implementation details—documentation only.

v1.0.0

Initial release of telegram-todolist: - Manage TODO.md through Telegram bot with three core commands: query, organize, and execute. - Display todo list, statistics, and task details via /todo query. - Add, delete, move, edit, and batch manage tasks using /todo organize <action>. - Mark tasks as completed and move them to finished section with /todo execute <task_number>. - Provides formatted output, progress indicators, error handling, and detailed confirmation messages. - All operations performed directly on TODO.md file in the workspace root.

Metadata

Slug telegram-todolist

Version 1.0.1

License —

All-time Installs 2

Active Installs 2

Total Versions 2

Frequently Asked Questions

What is Telegram Todo List?

Manage your TODO.md todo list via Telegram with commands to query, organize (add/edit/delete/move), and execute (complete) tasks. It is an AI Agent Skill for Claude Code / OpenClaw, with 920 downloads so far.

How do I install Telegram Todo List?

Run "/install telegram-todolist" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Telegram Todo List free?

Yes, Telegram Todo List is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Telegram Todo List support?

Telegram Todo List is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Telegram Todo List?

It is built and maintained by BugIt (@hengbo12345); the current version is v1.0.1.

More Skills