Task Runner

Manage and track tasks and projects persistently with priorities, completion status, filtering, and secure markdown export across sessions.

This skill appears to do exactly what it claims: a local task tracker with a JSON DB and Markdown export. Before installing/using it, consider: (1) the export function allows writing anywhere in your home directory except for a short blacklist of filename patterns — if you want stronger safety, restrict exports to the workspace directory only; (2) review the blacklist (it omits some dotfiles and config locations like general .config or .bash_history) if you are concerned about accidental overwrites; (3) back up any important files you might overwrite and inspect ~/.openclaw/workspace/tasks_db.json if you care about what data the skill stores; (4) because the skill can be invoked autonomously by an agent (normal default), ensure you trust the agent prompts that would call export with user-supplied paths. If you want maximum safety, only export to files inside ~/.openclaw/workspace or /tmp.

Type: OpenClaw Skill Name: task-runner Version: 1.0.1 The skill bundle provides a task management utility with persistent storage and markdown export functionality. The `SKILL.md` clearly outlines its purpose and security measures, specifically regarding file export path validation. The `scripts/task_runner.py` implements a robust `is_safe_path` function that correctly restricts file exports to the OpenClaw workspace, user's home directory, or `/tmp`, while explicitly blocking system paths and sensitive dotfiles (e.g., `~/.ssh`, `~/.bashrc`). There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. The code's behavior is clearly aligned with its stated purpose and includes meaningful security controls.