← 返回 Skills 市场
Todo List 待办事项管理
作者
YuShenLiu06
· GitHub ↗
· v1.3.0
· MIT-0
392
总下载
0
收藏
2
当前安装
4
版本数
在 OpenClaw 中安装
/install todo-list
功能描述
待办事项管理技能,支持添加、查看、完成、删除待办事项,支持到期提醒、标签系统、项目管理、附件功能。触发条件:(1) 用户提到待办、Todo、任务管理、待办列表、todolist (2) 需要添加、查看、完成、删除待办事项 (3) 设置任务提醒 (4) 标签管理 (5) 项目管理 (6) 用户直接输入"todo"或...
安全使用建议
This skill is functionally coherent for a local todo/reminder system using the OpenClaw CLI, but exercise caution before installing.
What to check or do before installing:
- Inspect and fix the shell deletion call: replace subprocess.run(f"openclaw cron delete {old_job_id}", shell=True, ...) with an args list (e.g. ['openclaw','cron','delete', old_job_id]) or otherwise sanitize/validate job IDs to remove command injection risk.
- Review the implementation of attachment handling (add_attachment) to ensure it enforces the claimed path restrictions, prevents directory traversal and symlink TOCTOU attacks, enforces the 50MB limit, and sets safe permissions on copied files.
- Ensure the memory directory (~/.openclaw/workspace/memory/) and session config files are accessible only by the intended user (restrict filesystem permissions) because reminders and job IDs are stored there and could be tampered with by other local users.
- Be aware that the skill will create cron jobs via OpenClaw and send messages to configured channels/targets — verify your OpenClaw configuration and channel target are trusted before enabling reminders.
- If you do not trust the skill owner/source, consider running the scripts in a restricted environment (container or dedicated account) or request a code revision that removes shell=True usage and provides audited attachment code.
Confidence note: the assessment is based on the included SKILL.md and the provided Python sources; the todo.py file was large and partially truncated in the listing, so also review the remainder of that file (especially add_attachment and any other subprocess usage) for additional issues.
功能分析
Type: OpenClaw Skill
Name: todo-list
Version: 1.3.0
The skill bundle is a functional todo list manager that supports task scheduling, tagging, project grouping, and file attachments. It uses the `openclaw` CLI for sending notifications and managing cron jobs. Security features are implemented in `scripts/todo.py`, such as path validation and size limits for attachments to prevent unauthorized file access. While some internal calls to `subprocess.run` still use `shell=True` (a potential vulnerability if local configuration files are tampered with), the overall logic is transparent, well-documented, and lacks any indicators of malicious intent or data exfiltration.
能力评估
Purpose & Capability
Name/description, the CLI scripts, and the SKILL.md are consistent: the package implements a local Python-based todo system, stores data under ~/.openclaw/workspace/memory/, supports attachments and uses the OpenClaw CLI to create cron reminders. The requested dependencies (python3 and OpenClaw CLI) match the stated purpose and there are no unexpected external credentials or unrelated binaries required.
Instruction Scope
Runtime instructions require the agent to read/write session and data files under ~/.openclaw/workspace/memory/ (todo.json, session config, reminders, attachments). That matches the feature set, but it does mean the skill will read local files and persist configuration and reminders. The SKILL.md requires the agent to extract channel and target from the conversation context and pass them to scripts — this is expected but grants the skill the ability to send messages via OpenClaw into configured channels. The instructions also direct the agent to only output certain tokens (e.g. NO_REPLY) when scripts are used, which is an operational constraint but not a security issue by itself.
Install Mechanism
No external install/download step is declared (instruction-only with included Python scripts). No remote URLs or package installs are used. The code is bundled in the skill, so there is no network fetch at install time — lowest risk from installers.
Credentials
The skill does not request environment variables or external credentials. Its need to access files under the user's home (~/.openclaw/workspace/memory/) and to call the OpenClaw CLI is proportional to a todo/reminder skill that integrates with OpenClaw cron and channel messaging.
Persistence & Privilege
The skill persists its own data and session configuration under ~/.openclaw/workspace/memory/ and creates cron jobs via the OpenClaw CLI. It is not marked always:true and does not claim to modify other skills. Creating cron entries and writing to the user-owned memory directory are expected for reminders, but these are persistent actions the user should be aware of (cron jobs will cause future outbound messages to channels configured in session).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install todo-list - 安装完成后,直接呼叫该 Skill 的名称或使用
/todo-list触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.0
优化待办事项管理功能,改进提醒机制,修复已知问题
v1.2.0
移除feishu依赖,简化metadata格式,明确声明依赖
v1.1.0
安全修复:移除shell=True,添加依赖声明,增强文件访问安全
v1.0.0
首次发布:支持待办事项管理、标签系统、项目管理、附件功能、自动提醒
元数据
常见问题
Todo List 待办事项管理 是什么?
待办事项管理技能,支持添加、查看、完成、删除待办事项,支持到期提醒、标签系统、项目管理、附件功能。触发条件:(1) 用户提到待办、Todo、任务管理、待办列表、todolist (2) 需要添加、查看、完成、删除待办事项 (3) 设置任务提醒 (4) 标签管理 (5) 项目管理 (6) 用户直接输入"todo"或... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 392 次。
如何安装 Todo List 待办事项管理?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install todo-list」即可一键安装,无需额外配置。
Todo List 待办事项管理 是免费的吗?
是的,Todo List 待办事项管理 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Todo List 待办事项管理 支持哪些平台?
Todo List 待办事项管理 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Todo List 待办事项管理?
由 YuShenLiu06(@yushenliu06)开发并维护,当前版本 v1.3.0。
推荐 Skills