← 返回 Skills 市场

Telegram Todo List

Name: Telegram Todo List
Author: hengbo12345

作者 BugIt · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

920

总下载

当前安装

版本数

在 OpenClaw 中安装

/install telegram-todolist

功能描述

Manage your TODO.md todo list via Telegram with commands to query, organize (add/edit/delete/move), and execute (complete) tasks.

安全使用建议

This skill is internally inconsistent rather than obviously malicious: it claims to be a Telegram bot but contains only a local TODO.md manager and several buggy implementations (task numbering, delete, and timestamp handling). Before installing or enabling it for autonomous use, consider: 1) Do you need actual Telegram integration? If so, request or add secure Telegram API code and credentials handling. 2) Backup any existing /root/.openclaw/workspace/TODO.md — the skill will create/overwrite that file. 3) Review and test the script in a sandboxed environment (non-production workspace) to confirm behavior and fix bugs (marking complete, deleting, numbering, timestamps). 4) Ask the author to clarify purpose and provide a README or remove 'Telegram' from the name if it is only a helper library. Because of these mismatches and implementation issues, treat this skill cautiously and do not enable it with sensitive data or broad autonomous access until corrected.

功能分析

Type: OpenClaw Skill Name: telegram-todolist Version: 1.0.1 The skill is classified as suspicious due to a prompt injection vulnerability. The `add_task` function in `scripts/todolist.py` allows user-provided input (`main_task`, `subtasks`) to be written directly into the `TODO.md` file without sanitization. Since `TODO.md` is a markdown file located in the agent's workspace (`/root/.openclaw/workspace/TODO.md`), an attacker could inject malicious markdown instructions into the todo list. If the OpenClaw agent later re-reads and interprets the content of `TODO.md` as instructions, this could lead to prompt injection, allowing an attacker to manipulate the agent's behavior beyond the skill's intended purpose.

能力评估

⚠ Purpose & Capability

Name and SKILL.md describe a Telegram bot with /todo commands, but the included Python script has no network/Telegram API code, no webhook/long-polling, and requests no Telegram credentials. The script only reads/writes a local TODO.md in the agent workspace, so the 'Telegram' aspect is missing or misleading.

⚠ Instruction Scope

SKILL.md instructs the agent to support query/organize/execute semantics (including timestamp updates, moving tasks between sections, and accurate numbering). The implementation reads/writes TODO.md and formats output, but many behaviors described are not implemented or are implemented incorrectly (e.g., timestamp updates on completion are not added, task-number → line mapping logic is flawed, delete_task logic is incorrect). Instructions do not direct reading of unrelated files or external endpoints, but they claim capabilities the code does not provide.

✓ Install Mechanism

No install spec — instruction-only + a single script. Nothing is downloaded or written by an installer. This is the lowest install risk.

ℹ Credentials

No environment variables or credentials are requested (appropriate for a local file-based todo manager). The script uses a hardcoded workspace path (/root/.openclaw/workspace/TODO.md) which matches SKILL.md; this grants access only to the agent workspace but should be noted (it will create/overwrite that file).

✓ Persistence & Privilege

The skill is not marked always:true and does not request elevated privileges or modify other skills. It writes a TODO.md template into the workspace on missing-file errors — expected for this purpose.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install telegram-todolist
安装完成后，直接呼叫该 Skill 的名称或使用 /telegram-todolist 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Updated skill and command descriptions for greater clarity and brevity. - Improved summary and keywords in the skill description for better discoverability. - No changes to commands, features, or implementation details—documentation only.

v1.0.0

Initial release of telegram-todolist: - Manage TODO.md through Telegram bot with three core commands: query, organize, and execute. - Display todo list, statistics, and task details via /todo query. - Add, delete, move, edit, and batch manage tasks using /todo organize <action>. - Mark tasks as completed and move them to finished section with /todo execute <task_number>. - Provides formatted output, progress indicators, error handling, and detailed confirmation messages. - All operations performed directly on TODO.md file in the workspace root.

元数据

Slug telegram-todolist

版本 1.0.1

许可证 —

累计安装 2

当前安装数 2

历史版本数 2

常见问题

Telegram Todo List 是什么？

Manage your TODO.md todo list via Telegram with commands to query, organize (add/edit/delete/move), and execute (complete) tasks. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 920 次。

如何安装 Telegram Todo List？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install telegram-todolist」即可一键安装，无需额外配置。

Telegram Todo List 是免费的吗？

是的，Telegram Todo List 完全免费（开源免费），可自由下载、安装和使用。

Telegram Todo List 支持哪些平台？

Telegram Todo List 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Telegram Todo List？

由 BugIt（@hengbo12345）开发并维护，当前版本 v1.0.1。