← 返回 Skills 市场
797
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install todo-boss
功能描述
Capture and track tasks with owner and due date, mark done, list open or delegated tasks, and get daily reports via Telegram commands.
安全使用建议
This skill is incomplete and has some fragile and privacy-sensitive behavior. Before installing or using it, consider: (1) It only provides add_task.sh—commands mentioned in SKILL.md (listing, marking done, reports) are missing. Expect limited functionality unless you add more scripts. (2) The script looks for 'owner:' and 'due:' in English but the SKILL.md follow-up prompts are Korean, so extraction may fail; test inputs to confirm behavior. (3) The script writes the entire raw user text to a plain JSONL file in ~/.openclaw/workspace/data/todo — do not send secrets or private data through it. (4) The embedded Python heredoc interpolates shell variables without escaping; inputs containing quotes, backslashes, or newlines can break the script and corrupt the log. Consider fixing the script to safely escape or pass data to Python (e.g., use python -c with json.dumps of arguments or read from stdin), and implement missing features (list, done, report) before relying on it. If you cannot review/modify the script, run it in a controlled/test environment and avoid sending sensitive content.
功能分析
Type: OpenClaw Skill
Name: todo-boss
Version: 0.1.0
The skill is highly suspicious due to a critical Remote Code Execution (RCE) vulnerability in `add_task.sh`. User-controlled input (TEXT, TITLE, OWNER, DUE) is directly interpolated into a Python here-document without proper sanitization, allowing an attacker to inject and execute arbitrary Python code. This flaw, while not explicitly malicious in its current form, provides a clear pathway for an attacker to achieve data exfiltration, persistence, or other harmful actions.
能力评估
Purpose & Capability
The stated purpose (task capture, delegation, daily reports via Telegram) is consistent with a local append-only log approach. However the repository only contains add_task.sh while SKILL.md documents many commands (/todo_done, /todo_list, /todo_delegated, /todo_report) and a derived cache; those other commands and listing/mark-done logic are missing, so the package is incomplete relative to its claimed functionality.
Instruction Scope
SKILL.md instructs the agent to call the provided add_task.sh and to ask follow-ups when owner/due are missing. The script itself only appends a JSONL event with the raw user text and does simple pattern parsing for 'owner:' and 'due:'. Concerns: (1) the SKILL.md's follow-up policy and Korean prompts contrast with the script's English 'owner:'/'due:' parsing—mismatch may break extraction; (2) the script stores the full raw text (potentially sensitive) without warning or redaction; (3) the inline Python heredoc interpolates shell variables directly into Python source without escaping, so user input containing quotes, newlines, or special characters can break the Python snippet and corrupt the log or cause the script to fail; (4) there is no code here to finalize drafts, update events, list tasks, or mark tasks done despite SKILL.md promising those features.
Install Mechanism
Instruction-only plus a shell script means nothing is downloaded or installed. The script requires standard system tools (bash, sed, date, python3) but there is no install‑time network activity or unusual installers.
Credentials
No secrets or external credentials are requested, which is appropriate. The script reads $HOME and writes under ~/.openclaw/workspace/data/todo—this is expected for a local task log, but users should know data is stored in plain text under their home directory and could be read by other local processes or backed up to cloud storage.
Persistence & Privilege
always:false and no special agent-wide modifications. The script writes files under the user's home, which is consistent with a local task tracker. It does not attempt to modify other skills or system settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install todo-boss - 安装完成后,直接呼叫该 Skill 的名称或使用
/todo-boss触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Version 0.1.0 of todo-boss
- Initial release of Telegram-based task capture and delegation tracker.
- Supports basic commands: /todo, /todo_done, /todo_list, /todo_delegated, /todo_report.
- Extracts owner and due date from free text; prompts user if missing.
- All task events are logged append-only; strict follow-up and no external web/API access.
- Designed for concise, action-focused interaction in Korean enterprise environments.
v1.0.0
Initial public release of todo-boss.
- Allows Telegram users to capture, delegate, and track tasks with daily reporting.
- Robust extraction rules: always ask for task owner and due date if missing, with Korean prompts.
- All task actions append to an append-only JSONL log for history and traceability.
- Strictly no web/API usage or open-ended context; focused only on task tracking.
- Short, action-oriented Telegram replies; auto-confirm task creation or status changes.
元数据
常见问题
Todo Boss 是什么?
Capture and track tasks with owner and due date, mark done, list open or delegated tasks, and get daily reports via Telegram commands. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 797 次。
如何安装 Todo Boss?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install todo-boss」即可一键安装,无需额外配置。
Todo Boss 是免费的吗?
是的,Todo Boss 完全免费(开源免费),可自由下载、安装和使用。
Todo Boss 支持哪些平台?
Todo Boss 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Todo Boss?
由 ukraecho(@ukraecho)开发并维护,当前版本 v0.1.0。
推荐 Skills