ClawHub
Code PluginExecutes codesource-linked

Tasks

Native OpenClaw tasks plugin with local task storage and planning tools

Community code plugin. Review compatibility and verification before install.
tasks · runtime id tasks
Install
openclaw plugins install clawhub:tasks
Latest Release
Version 0.1.1
Compatibility
{
  "builtWithOpenClawVersion": "0.1.1",
  "pluginApiRange": ">=2026.3.23"
}
Capabilities
{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [],
  "runtimeId": "tasks",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, plugin manifest, and source files all implement a local task manager that stores data in a JSON file (default: ~/.openclaw/state/tasks/tasks.json). That functionality is coherent with the stated purpose. Minor inconsistency: the registry metadata says "No install spec — instruction-only skill," but the package contains a full npm project, build step, and explicit install instructions in README/SKILL.md.
Instruction Scope
Runtime instructions and the skills SKILL.md are narrowly scoped to task creation, listing, updates, and agenda views. They do not instruct the agent to read unrelated system files or call out to external endpoints. However, the skills/tasks/SKILL.md includes metadata {"openclaw":{"always":true}} which requests force-inclusion (see persistence_privilege) and is a notable instruction-scope divergence from typical skill behavior.
Install Mechanism
There is no formal install spec in the registry, but README/SKILL.md instructs npm install, npm run build, and openclaw plugins install/enable. The package is a normal Node project with a package-lock.json. The lockfile contains many transitive packages (AWS, Anthropic SDKs, etc.), likely pulled in by transitive dependencies (openclaw), which increases attack surface even though no external arbitrary URLs or shorteners are used.
Credentials
The skill declares no required environment variables or credentials. The plugin operates on a local JSON file path (configurable) and uses standard Node fs/os APIs. Requested configuration (storagePath, agenda horizon, auto-archive days) is proportional to the plugin's purpose.
!
Persistence & Privilege
The embedded skills/tasks/SKILL.md contains metadata requesting always: true (force-include in every agent run). Always:true combined with autonomous invocation increases blast radius if the plugin or its transitive deps are compromised. The manifest (openclaw.plugin.json) does not set always; this inconsistency should be clarified before installation.
What to consider before installing
What to consider before installing: - The code implements a local task manager and appears to only read/write a JSON file at a configurable storagePath — that matches the description. - However, the skills SKILL.md contains metadata requesting always:true (force-inclusion). Ask the author why the plugin needs to be force-loaded for every agent session; prefer always:false unless there is a clear reason. - Registry metadata lacks an explicit install spec even though this package is a full npm project; the README instructs you to run npm install and build. Confirm how your OpenClaw installation will perform plugin installs and whether install scripts run automatically. - The package-lock contains many transitive libraries (AWS, Anthropic, etc.). This is likely benign (pulled in by the openclaw dependency), but it enlarges the supply chain. If you have strict policies, review the lockfile and run an npm audit and dependency review before installation. - Verify the configured storagePath and file permissions (default: ~/.openclaw/state/tasks/tasks.json) so the plugin only has access where you expect. Consider running the plugin in an environment or user account with limited filesystem scope if you have concerns. - If the author can confirm (a) the always:true metadata is accidental or can be removed, and (b) the transitive dependency set is expected (e.g., from openclaw), this would lower the risk and could change the assessment to benign. Confidence notes: assessment is medium confidence because the code is readable and matches its stated purpose, but the metadata/install inconsistencies and large transitive dependency tree are unexplained and warrant confirmation.
Verification
{
  "hasProvenance": false,
  "scanStatus": "pending",
  "scope": "artifact-only",
  "sourceCommit": "48b17934f9de9b68bc7f70aef81f03eebe81f0ff",
  "sourceRepo": "clawic/plugins",
  "sourceTag": "main",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}
Tags
{
  "latest": "0.1.1"
}

Tasks Plugin

Native OpenClaw plugin that adds local task management with:

  • task creation, listing, updates, completion, reopening, and deletion
  • projects, tags, priorities, due dates, scheduling, and estimates
  • checklist items and task notes
  • recurring tasks with automatic next-instance creation
  • agenda views for overdue, due soon, scheduled, and backlog work

Install

npm install
npm run build
openclaw plugins install .
openclaw plugins enable tasks
openclaw gateway restart

Config

{
  plugins: {
    entries: {
      tasks: {
        enabled: true,
        config: {
          storagePath: "~/.openclaw/state/tasks/tasks.json",
          defaultProject: "inbox",
          agendaHorizonDays: 7,
          autoArchiveCompletedDays: 30,
        },
      },
    },
  },
}

If storagePath is omitted, the plugin stores data in ~/.openclaw/state/tasks/tasks.json.

Tools

  • tasks_create
  • tasks_list
  • tasks_update
  • tasks_complete
  • tasks_reopen
  • tasks_delete
  • tasks_note
  • tasks_agenda