← Back to Skills Marketplace
siyuan-task-skill
by
zhhkheaven
· GitHub ↗
· v1.0.0
1164
Downloads
2
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install siyuan-task-skill
Description
Manage tasks in SiYuan Note via its HTTP API. Create, query, update, and organize tasks stored in the 任务清单 document (with a TASK database) and sub-documents for related materials. Use when the user mentions SiYuan, task management, or needs to track work items.
Usage Guidance
Key things to consider before installing:
- The package contains a pre-filled config.env with a SIYUAN_API_TOKEN and a private/shared-space IP (100.64.0.11). This is sensitive — do not assume the token is harmless. If your runtime can reach that IP, the bundled token may allow access to someone else's SiYuan instance.
- The skill metadata claims no required credentials, but the code needs SIYUAN_API_URL and SIYUAN_API_TOKEN and will read/write config.env. That mismatch indicates sloppy packaging or deliberate inclusion of credentials; either way you should not trust embedded tokens.
- The code legitimately uses powerful API calls (create/remove docs, modify AV JSON via put_file). Those are expected for managing SiYuan tasks but can also be misused if the token is valid. Ensure the token has minimal privileges or use a dedicated token you control.
- Recommended actions: ask the publisher for a source/homepage and a reason the token was bundled; replace the bundled config.env with your own values before running; review the full scripts locally; run the skill in an isolated environment or sandbox; and revoke the bundled token (or block the address) if you have any contact with that SiYuan instance.
- If you cannot verify the origin or purpose of the embedded token/URL, avoid enabling autonomous invocation for this skill and prefer a version that requires you to explicitly supply credentials at runtime.
Capability Analysis
Type: OpenClaw Skill
Name: siyuan-task-skill
Version: 1.0.0
The skill is classified as suspicious due to several high-risk capabilities, even though they are plausibly needed for its stated purpose of managing tasks in SiYuan Note. Key indicators include the broad `Bash(python3:*)` permissions, the `upload_asset` function in `scripts/siyuan_api.py` which can read arbitrary local files and upload them to the SiYuan instance (a form of data exfiltration to the SiYuan application itself), and the `init_database` function in `scripts/task_ops.py` which rewrites the `config.env` file, demonstrating local file modification. Additionally, the `siyuan_api.py` client exposes powerful `sql_query`, `get_file`, and `put_file` methods that allow extensive interaction with the SiYuan internal database and file system, which could be misused if the agent or user input were compromised.
Capability Assessment
Purpose & Capability
The skill's name/description (SiYuan task management) matches its code: it uses the SiYuan HTTP API to create/list/update tasks and related sub-documents. However the registry metadata claims no required environment variables or primary credential while the implementation expects and uses SIYUAN_API_URL, SIYUAN_API_TOKEN, and notebook IDs via a config.env file. Declaring 'no required env vars' is inconsistent with the actual need for an API token and URL.
Instruction Scope
SKILL.md and the scripts instruct the agent to read and modify a local config.env, call many SiYuan API endpoints (create docs, modify blocks, upload assets) and to write SiYuan storage JSON (/data/storage/av/<AV_ID>.json) via the API. Those actions are within the stated purpose (managing the TASK Attribute View and linked sub-documents), but writing AV JSON and using put_file to modify SiYuan storage is powerful — it can change view metadata and bind rows to documents. The instructions do not ask the agent to read unrelated system files or external endpoints beyond the SiYuan instance.
Install Mechanism
There is no install spec (instruction-only runtime plus included Python scripts). No third-party downloads or install hooks are present, which reduces installer risk. The skill does include Python scripts that will be executed by the agent when invoked.
Credentials
The code requires SIYUAN_API_URL and SIYUAN_API_TOKEN (and notebook/AV IDs) but the skill metadata lists no required env vars. Worse, the packaged repo already contains a populated config.env with a SIYUAN_API_TOKEN and internal IP (http://100.64.0.11:52487). Shipping a hardcoded token/URL in the skill bundle is inappropriate: if the token is valid and the runtime can reach that address, the skill could act with that credential. The number and type of credentials are reasonable for the feature, but their presence embedded in the package (not declared) is disproportionate and risky.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It reads and writes its own config.env file (normal for this tool) and calls SiYuan APIs. Autonomous invocation (disable-model-invocation false) is the platform default and not by itself problematic; combined with the embedded token this increases blast radius but there is no evidence the skill attempts to persist beyond its own files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install siyuan-task-skill - After installation, invoke the skill by name or use
/siyuan-task-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
SiYuan Note Task Management skill initial release.
- Manage tasks in SiYuan Note via Python scripts and HTTP API.
- Auto-creates a task database and sub-documents for each task.
- Supports task CRUD (create, query, update, delete), status changes, renaming, and attachment of images.
- Configuration via simple `config.env` file; auto-initialization with `init` command.
- Command-line tool and Python API for both quick usage and programmatic integration.
- Detailed data model with customizable columns and automatic handling of notebook/document structure.
Metadata
Frequently Asked Questions
What is siyuan-task-skill?
Manage tasks in SiYuan Note via its HTTP API. Create, query, update, and organize tasks stored in the 任务清单 document (with a TASK database) and sub-documents for related materials. Use when the user mentions SiYuan, task management, or needs to track work items. It is an AI Agent Skill for Claude Code / OpenClaw, with 1164 downloads so far.
How do I install siyuan-task-skill?
Run "/install siyuan-task-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is siyuan-task-skill free?
Yes, siyuan-task-skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does siyuan-task-skill support?
siyuan-task-skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created siyuan-task-skill?
It is built and maintained by zhhkheaven (@zhhkheaven); the current version is v1.0.0.
More Skills