← 返回 Skills 市场
445
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install todo-tracker-safe
功能描述
Secure TODO tracker with input validation and safe file operations. Use for task management across sessions.
安全使用建议
This script is a local, file-based TODO manager and appears to do only safe, text-file operations. Before installing: ensure you are comfortable the default path (~/.openclaw/workspace/TODO.md) is acceptable (or set TODO_FILE), create the containing directory with correct permissions so the script can initialize the file, and be aware the agent may autonomously show the summary (heartbeat) which will read that file. If you want to be extra cautious, review the included scripts/todo.sh yourself — it contains the full implementation and no network/calls to external services were found.
功能分析
Type: OpenClaw Skill
Name: todo-tracker-safe
Version: 1.0.1
The skill bundle provides a secure TODO tracking utility with robust security practices. The `scripts/todo.sh` script implements input sanitization, strict shell modes (`set -euo pipefail`), and avoids command injection by using `awk -v` for variable passing and `grep -F` for fixed-string matching. It also includes file permission checks to ensure the data file is not world-writable. No evidence of data exfiltration, network activity, or malicious intent was found.
能力评估
Purpose & Capability
Name/description (local TODO tracker) align with what is present: a bash script that reads/writes a TODO.md and uses bash/grep/awk/sed. No unrelated credentials, binaries, or network access are requested.
Instruction Scope
SKILL.md and the script limit actions to local file operations, listing, adding, marking done, and summarizing tasks. The README and SKILL.md claim no env vars except TODO_FILE, but the script also reads HOME to build a default path (normal for local tools). The skill states it may display a summary on heartbeat — that implies autonomous invocation may cause periodic reads of the TODO file, which is consistent with the stated behavior.
Install Mechanism
No install spec; instruction-only with an included script. Nothing is downloaded or written by an installer, so there is no remote install risk.
Credentials
No required environment variables are declared. The script optionally respects TODO_FILE (reasonable). It also uses HOME implicitly to compute the default path — this is typical for a local file-based tool but is a minor mismatch with the SKILL.md phrasing that claimed 'no env var reading except TODO_FILE.'
Persistence & Privilege
always:false and no modifications to other skills or global agent configs. The script writes only to the user-specified (or default) TODO file; it requires an existing writable directory to create the file and will error otherwise.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install todo-tracker-safe - 安装完成后,直接呼叫该 Skill 的名称或使用
/todo-tracker-safe触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
修复权限检查逻辑
v1.0.0
安全加固版本:输入验证、固定字符串匹配、文件权限检查、无动态执行
元数据
常见问题
TODO Tracker (Safe) 是什么?
Secure TODO tracker with input validation and safe file operations. Use for task management across sessions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 445 次。
如何安装 TODO Tracker (Safe)?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install todo-tracker-safe」即可一键安装,无需额外配置。
TODO Tracker (Safe) 是免费的吗?
是的,TODO Tracker (Safe) 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
TODO Tracker (Safe) 支持哪些平台?
TODO Tracker (Safe) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 TODO Tracker (Safe)?
由 Alex Chen(@gothicfox)开发并维护,当前版本 v1.0.1。
推荐 Skills