← 返回 Skills 市场
541
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install to-do
功能描述
Give your AI the power to act in the future. Schedule delayed prompts and one-off reminders that automatically wake the agent up at an exact moment to execut...
安全使用建议
This skill generally does what it says — it schedules the OpenClaw agent to run later — but it currently trusts callers to avoid dangerous inputs instead of enforcing safety. Before installing: 1) Confirm OPENCLAW_BIN points to a trusted, least-privileged OpenClaw binary. 2) Review or modify to-do.js to avoid shell-based exec interpolation (use spawn/execFile with argument arrays or strictly validate/sanitize userId, channel, and task content). 3) Test scheduling in a non-production environment to confirm no command-injection paths exist (try attacker-style inputs). 4) Prefer restricting scheduled messages to non-sensitive content and avoid embedding secrets or write-access file paths in scheduled instructions. If you want higher assurance, ask the author to add input validation and change exec usage to a safer API; having that change would increase confidence from medium to high.
功能分析
Type: OpenClaw Skill
Name: to-do
Version: 1.0.3
The `to-do.js` skill contains multiple command injection vulnerabilities across both Windows and Linux/macOS platforms. User-controlled input, specifically the `<instruction>` argument for scheduling and the `<ID>` argument for deletion (on Linux/macOS), is not sufficiently sanitized before being passed to `child_process.exec`. While `SKILL.md` attempts to instruct the AI agent to avoid shell meta-characters, this relies on the agent's adherence and does not fix the underlying code vulnerabilities, making the skill susceptible to prompt injection attacks leading to arbitrary command execution. For example, on Windows, the `flatInstruction` passed to `schtasks /tr` is vulnerable to quote breaking, and on Linux/macOS, `agentCommand` is unsafely embedded within double quotes in an `echo` command, allowing shell metacharacters like `$(command)` to execute. The `atrm ${id}` command on Linux/macOS also lacks quoting, making it vulnerable to injection if the ID contains shell metacharacters.
能力评估
Purpose & Capability
Name/description, required binary (node), and the two env vars (OPENCLAW_BIN, OPENCLAW_TZ) align with a scheduler that calls the OpenClaw agent at a future time. The script uses OS schedulers ('at' / 'schtasks') and invokes the openclaw binary to deliver messages, which is expected for this functionality.
Instruction Scope
SKILL.md explicitly instructs careful sanitization (no shell metacharacters, use only raw alphanumeric for user_id/channel) and to create fully self-contained instructions. However the code does not enforce those constraints: userId and channel are interpolated into shell commands without validation or escaping on POSIX/Windows flows. The skill therefore relies on politeness of callers rather than safe code, increasing risk of command injection or scheduling of malicious/overly-privileged actions. The skill also encourages including exact file paths and tool names in scheduled instructions — reasonable for clarity but increases chance of scheduling sensitive operations.
Install Mechanism
No install spec (instruction-only with provided JS file). Required runtime is node; no external downloads or archive extraction. Low install risk.
Credentials
Only OPENCLAW_BIN and OPENCLAW_TZ are required, which is proportionate for a scheduler that must call a local openclaw binary and interpret user timezone. However OPENCLAW_BIN points to a binary that will be executed later; if that binary is untrusted or has broad privileges, scheduled tasks can later trigger powerful actions. The skill does not request other secrets or credentials.
Persistence & Privilege
always is false (normal). The skill writes nothing itself but creates OS scheduler entries (at/schtasks) which persist and will run the openclaw agent at scheduled times. That persistence is appropriate for a scheduler but does increase blast radius because tasks run autonomously later; combined with the command construction issues this is a significant concern.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install to-do - 安装完成后,直接呼叫该 Skill 的名称或使用
/to-do触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
Improved SKILL.md prompt design: clearer command usage, stricter scheduling guardrails (run before resolving relative times), stronger anti-ambiguity/safety rules, and expanded examples for self-contained future instructions. No runtime code changes.
v1.0.2
Re-publish and update scheduler docs
v1.0.1
Internal cleanup and metadata optimization
v1.0.0
- Initial release: introduces one-off scheduling of background tasks, delayed actions, and reminders for agents.
- Supports precise execution timing using native OS schedulers (`at` for Linux/macOS, `schtasks` for Windows).
- Requires full, self-contained instructions for future sessions; vague requests are rejected pending clarification.
- Dynamic context routing with user ID, channel, and timezone ensures correct delivery.
- Strict output format: responses show scheduled date/time and the exact action in a blockquote, with no filler.
- Includes commands for scheduling tasks, listing pending tasks, and deleting tasks.
元数据
常见问题
To-Do 是什么?
Give your AI the power to act in the future. Schedule delayed prompts and one-off reminders that automatically wake the agent up at an exact moment to execut... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 541 次。
如何安装 To-Do?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install to-do」即可一键安装,无需额外配置。
To-Do 是免费的吗?
是的,To-Do 完全免费(开源免费),可自由下载、安装和使用。
To-Do 支持哪些平台?
To-Do 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 To-Do?
由 DevLumuz(@devlumuz)开发并维护,当前版本 v1.0.3。
推荐 Skills