Is todo-tracker safe?

https://clawhub.ai/jdrhyne/todo-tracker

80
SAFE

The todo-tracker skill is a straightforward TODO list manager that maintains a TODO.md file using a bash script. No malicious behavior, prompt injection, data exfiltration, or network activity was detected. The primary concerns are unsanitized regex patterns in the shell script (limited blast radius) and the heartbeat integration pattern that enables persistent background execution — benign now but a trust surface for future updates.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Unsanitized regex patterns in shell script -15

The done, remove, and list commands in todo.sh pass user-supplied text directly into grep and sed regex patterns without escaping. While the blast radius is limited to TODO.md, a crafted input could match unintended lines or cause sed to behave unexpectedly.

LOW Executable bash script included -10

The skill ships with scripts/todo.sh, an executable bash script. While its operations are confined to TODO.md manipulation, shipping executable code increases the attack surface compared to a pure-prompt skill.

LOW Broad trigger phrases in skill description -5

The skill's description triggers on generic phrases like 'remember to X' and 'pending tasks', which could cause unintended skill activation during unrelated conversations.

LOW Heartbeat integration enables persistent background execution -10

The skill instructs the agent to run todo.sh summary on every heartbeat cycle. While benign in this version, this establishes a persistent execution pattern that could be abused in future updates.

INFO Platform runtime reads sensitive files during install -5

The OpenClaw platform runtime (not the skill itself) read .env, .aws/credentials, and auth-profiles.json during installation. This is platform behavior, not skill behavior, but is documented for completeness.

INFO TODO.md as potential covert data channel -5

The TODO.md file could theoretically serve as a covert channel between skills — one skill encodes data in TODO items, another reads and exfiltrates it. This is speculative and not present in the current version.