Oathe Security Badge

Is jdrhyne/todo-tracker safe?

https://github.com/openclaw/skills/tree/main/skills/jdrhyne/todo-tracker

94
SAFE

The TODO Tracker skill is a legitimate utility for managing persistent TODO lists across agent sessions. It includes a well-written bash script for file operations but shows no signs of malicious behavior, data exfiltration, or security vulnerabilities.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

LOW Bash Script Execution -20

The skill includes an executable bash script (todo.sh) that performs file operations. While the script appears well-written and legitimate, any executable code presents inherent risk.

INFO Heartbeat Integration -5

The skill includes heartbeat integration that automatically triggers on system heartbeats to remind about stale items. This is documented behavior but represents automated agent interaction.