← Back to Skills Marketplace
TODO Tracker
by
Jonathan Rhyne
· GitHub ↗
· v1.0.0
9284
Downloads
1
Stars
61
Active Installs
1
Versions
Install in OpenClaw
/install todo-tracker
Description
Persistent TODO scratch pad for tracking tasks across sessions. Use when user says "add to TODO", "what's on the TODO", "mark X done", "show TODO list", "remove from TODO", or asks about pending tasks. Also triggers on heartbeat to remind about stale items.
Usage Guidance
Install only if you are comfortable with the agent maintaining a persistent local TODO.md file. Use explicit commands for add, done, and remove actions, and review TODO.md before deleting entries. Avoid passing complex regex-like text to mark-done or remove commands unless the script is hardened to treat input as plain text.
Capability Analysis
Type: OpenClaw Skill
Name: todo-tracker
Version: 1.0.0
The skill is classified as suspicious due to a potential Regular Expression Denial of Service (ReDoS) vulnerability in `scripts/todo.sh`. User-provided patterns for 'mark done' and 'remove item' commands are directly used in `grep` and `sed` regex operations without sufficient sanitization, which could allow a malicious or overly complex regex pattern to consume excessive CPU resources and lead to a denial of service. While the skill's core functionality is benign and involves local file operations, this specific implementation detail introduces a notable risk.
Capability Assessment
Purpose & Capability
The described behavior fits a TODO tracker: listing pending items, adding remembered tasks, marking tasks done, and removing entries from a local TODO file.
Instruction Scope
Some activation examples are broad, such as natural phrasing around pending tasks or remembering something, so accidental TODO edits are possible, but they remain aligned with the stated task-tracking purpose.
Install Mechanism
No evidence was provided of unusual install steps, hidden package execution, dependency fetching, or install-time persistence beyond the skill files themselves.
Credentials
The apparent environment access is limited to local TODO state and a helper shell script; no network, credential, browser profile, account, or broad filesystem access is evidenced.
Persistence & Privilege
The skill maintains persistent TODO.md state and can delete TODO entries. That persistence is expected for the purpose, but users should understand removals may be irreversible unless they have backups or version control.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install todo-tracker - After installation, invoke the skill by name or use
/todo-tracker - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Persistent TODO scratch pad for Clawdbot with priority levels, completion tracking, and heartbeat integration
Metadata
Frequently Asked Questions
What is TODO Tracker?
Persistent TODO scratch pad for tracking tasks across sessions. Use when user says "add to TODO", "what's on the TODO", "mark X done", "show TODO list", "remove from TODO", or asks about pending tasks. Also triggers on heartbeat to remind about stale items. It is an AI Agent Skill for Claude Code / OpenClaw, with 9284 downloads so far.
How do I install TODO Tracker?
Run "/install todo-tracker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is TODO Tracker free?
Yes, TODO Tracker is completely free (open-source). You can download, install and use it at no cost.
Which platforms does TODO Tracker support?
TODO Tracker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created TODO Tracker?
It is built and maintained by Jonathan Rhyne (@jdrhyne); the current version is v1.0.0.
More Skills