by 安全扫描
OpenClaw
安全
high confidenceThe skill's requirements and instructions are consistent with a Taskleef CLI integration — it asks for a Taskleef API key and a small set of related binaries and does not request unrelated secrets or system-wide access.
评估建议
This skill appears coherent for managing Taskleef todos, but take these precautions before installing:
- Verify that https://taskleef.com is the legitimate service you expect.
- Inspect the 'todo' file the installer downloads from raw.githubusercontent.com before running chmod +x; raw GitHub content can be arbitrary code. Prefer installing from an official release repository or building from source when possible.
- Keep TASKLEEF_API_KEY secret: store it in the agent config or an auth file with r...详细分析 ▾
✓ 用途与能力
Name/description, required binaries (todo, curl, jq), and required env var (TASKLEEF_API_KEY) all align with a CLI-based integration for Taskleef.com. The only minor metadata mismatch is that registry metadata lists no homepage while the SKILL.md includes https://taskleef.com, but this does not affect capability alignment.
✓ 指令范围
SKILL.md instructs the agent to call the todo CLI and describes CLI flags and expected behavior. It does not instruct reading unrelated files or environment variables beyond TASKLEEF_API_KEY, and only mentions an optional auth file (~/.taskleef.auth) which is reasonable for storing credentials.
ℹ 安装机制
The install spec will download a single 'todo' executable from raw.githubusercontent.com (Xatter/taskleef) and provides jq via Homebrew or GitHub releases. Downloads come from GitHub hosts (known/common) rather than unknown personal servers, but installing an executable fetched from a raw GitHub URL is a higher-risk operation than using a vetted package — users should review the binary/script before making it executable.
✓ 凭证需求
Only TASKLEEF_API_KEY is required and declared as the primary credential; that matches the stated purpose. The skill suggests an optional auth file and storing an API key in the agent config, which are reasonable. No unrelated credentials or excessive environment access are requested.
✓ 持久化与权限
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills' configs or system-wide settings beyond suggesting where to store an API key in the user's Clawdbot config (normal for skill configuration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/1/27
Added installer metadata for automatic installation of todo CLI and jq dependencies via Clawdbot's Skills UI.
● 可疑
安装命令
点击复制官方npx clawhub@latest install taskleef
镜像加速npx clawhub@latest install taskleef --registry https://cn.longxiaskill.com