ClawHub
Bundle Pluginsource-linked

TaskTrace MCP

TaskTrace MCP integration package for OpenClaw, Claude Code, and Cursor-compatible bundles.

tasktrace-mcp · runtime id tasktrace-mcp
Install
openclaw bundles install clawhub:tasktrace-mcp
Latest Release
Version 1.8.0
Compatibility
{
  "builtWithOpenClawVersion": "1.8.0"
}
Capabilities
{
  "bundleFormat": "Codex",
  "capabilityTags": [
    "bundle-only",
    "format:Codex",
    "host:OpenClaw",
    "host:Codex",
    "host:Claude",
    "host:Cursor"
  ],
  "executesCode": false,
  "hostTargets": [
    "OpenClaw",
    "Codex",
    "Claude",
    "Cursor"
  ],
  "runtimeId": "tasktrace-mcp"
}
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and manifests consistently describe a local MCP integration that launches the TaskTrace desktop binary at /Applications/TaskTrace.app/Contents/MacOS/TaskTrace --mcp-stdio. The files present (.mcp.json and plugin manifests) match the stated purpose and there are no unrelated credentials or binaries requested.
Instruction Scope
The SKILL.md instructs standard plugin install steps for OpenClaw/Claude/Codex and explicitly modifies local plugin caches and marketplace entries under the user's home (~/.agents, ~/.codex, etc.) and restarts local gateways. Those actions are expected for installing a local plugin, but they do touch local config and cache files. The package also states it exposes 'work history, activity feeds, and screenshots' — a privacy-sensitive data surface that is coherent with the plugin's purpose but important to understand. Additionally, the README and npm scripts reference install/build scripts that are not present in the published file list (see install script names in package.json). That mismatch could break the documented install steps or indicate an incomplete package.
Install Mechanism
This is an instruction-only skill with no install spec, so it does not pull arbitrary code at agent runtime. That is low-risk. However, the package.json contains npm scripts that would run Node scripts (e.g., install:codex-local) and reference shell helpers; those script files are not included in the provided file manifest. Running npm install/npm run (if you follow the README) would fetch dependencies and execute scripts on your machine — so inspect the package contents before running npm scripts. No external downloads or strange URLs are present in the reviewed files.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond manipulating its own plugin/cache locations. That is proportionate to the stated goal. Note: functionality will rely on the local TaskTrace app being installed at the hardcoded macOS path; also the plugin is explicitly designed to expose local activity and screenshots to the client agent, which is a sensitive capability even though no secrets are requested.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It will register itself as a client plugin, and the README suggests enabling OpenClaw's 'tools.profile' = 'full' which increases agent capabilities — this combined with access to screenshots/work-history is a privacy consideration. Autonomous agent invocation is allowed (default) — not unusual, but note the potential blast radius if you permit agents to call MCP servers that expose local screenshots.
What to consider before installing
This package is mostly coherent with its stated purpose (registering a local TaskTrace MCP server), but review these before installing: 1) Confirm you actually have /Applications/TaskTrace.app at that path — the plugin only points local clients at that binary. 2) Understand privacy impact: the manifests advertise access to activity history and screenshots; installing lets local agents query that data. 3) The README and package.json mention npm scripts and install helper scripts that are not present in the published file list — do not run npm install/npm run without inspecting the scripts first. 4) Inspect the package contents you will install (especially any scripts under scripts/ or files that would be executed) and verify the publisher (tasktrace.com) and repository. 5) If you need to limit exposure, avoid enabling broad tool profiles or restrict which agents can invoke MCP plugins. If you want more certainty, request the missing script files / a complete release artifact from the author or install in a sandboxed environment first.
Verification
{
  "hasProvenance": false,
  "scanStatus": "pending",
  "scope": "artifact-only",
  "sourceCommit": "e5ceeb3",
  "sourceRepo": "warrenronsiek/TaskTraceMCPPlugin",
  "sourceTag": "v1.8.0",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}
Tags
{
  "latest": "1.8.0"
}

TaskTraceMCPPlugin

TaskTraceMCPPlugin is the standalone public packaging repo for connecting the local TaskTrace desktop app to MCP-capable clients.

Full documentation — resources, tools, installation, and configuration — is at tasktrace.com/docs.

It currently includes packaging for:

  • OpenClaw compatible bundles
  • Claude Code local plugins
  • Codex local plugins
  • Cursor-compatible bundle metadata
  • generic .mcp.json stdio server wiring

The server itself is still the TaskTrace desktop app. Every client path here launches:

/Applications/TaskTrace.app/Contents/MacOS/TaskTrace --mcp-stdio

Repository layout

  • package.json Package metadata for local install, npm pack, and publication. This repo intentionally does not expose a native OpenClaw runtime entrypoint.

  • .claude-plugin/plugin.json Claude Code plugin manifest with inline mcpServers config.

  • .cursor-plugin/plugin.json Cursor-compatible plugin marker.

  • .codex-plugin/plugin.json Codex plugin manifest that registers TaskTrace as an MCP server.

  • .codex-plugin/marketplace.json Reference marketplace entry for a home-local Codex install.

  • .mcp.json Reusable MCP server config in standard mcpServers format, including the Codex plugin install.

  • scripts/set-version.mjs Semver-backed helper that validates a version and syncs it across package metadata and manifests.

Docs reviewed

Current packaging state

What was verified locally on March 22, 2026:

  • openclaw plugins install . succeeded on OpenClaw 2026.3.13
  • openclaw plugins inspect tasktrace-mcp showed the bundle was discovered and enabled
  • npm pack produced a working install artifact and openclaw plugins install ./tasktrace-mcp-0.1.0.tgz also succeeded
  • claude --plugin-dir . --version accepted the local plugin layout

What still needs product-level QA on a normal TaskTrace machine:

  • a full end-to-end OpenClaw embedded-agent turn using the bundled TaskTrace MCP server
  • a full end-to-end Claude plugin session using this standalone repo
  • runtime validation on a machine where TaskTrace launches cleanly from /Applications

Install and test

OpenClaw

Install from a local checkout:

git clone https://github.com/warrenronsiek/TaskTraceMCPPlugin.git
cd TaskTraceMCPPlugin
npm pack
openclaw plugins install .
openclaw config set tools.profile '"full"' --strict-json
openclaw gateway restart
openclaw plugins list
openclaw plugins inspect tasktrace-mcp

Install from the packed archive instead:

git clone https://github.com/warrenronsiek/TaskTraceMCPPlugin.git
cd TaskTraceMCPPlugin
npm pack
openclaw plugins install ./tasktrace-mcp-$(node -p 'require("./package.json").version').tgz
openclaw gateway restart
openclaw plugins inspect tasktrace-mcp

OpenClaw should report this install as a compatible bundle, not a native runtime plugin. The bundled MCP server configuration comes from .claude-plugin/plugin.json / .codex-plugin/plugin.json and .mcp.json.

ClawHub install is currently not available:

openclaw plugins install tasktrace-mcp

ClawHub is currently broken for this plugin path: https://github.com/openclaw/clawhub/issues/1088

Claude Code

Install via the plugin marketplace (automatically registers the MCP server):

/plugin marketplace add warrenronsiek/TaskTraceMCPPlugin
/plugin install tasktrace-mcp@tasktrace-mcp

Or register the MCP server directly:

claude mcp add --transport stdio --scope project tasktrace -- /Applications/TaskTrace.app/Contents/MacOS/TaskTrace --mcp-stdio
claude mcp list

Codex

Stage the plugin into the local Codex marketplace:

npm run install:codex-local

Then:

1. Restart Codex.
2. Open the local marketplace.
3. Install `tasktrace-mcp`.

If you want to restage and reinstall from a fresh local checkout:

git clone https://github.com/warrenronsiek/TaskTraceMCPPlugin.git
cd TaskTraceMCPPlugin
npm install
npm run install:codex-local

That command is idempotent. Each run:

  • refreshes the staged plugin source bundle under the local Codex marketplace root
  • removes the old legacy ~/.codex/plugins/tasktrace-mcp location used by earlier installer versions
  • removes any cached installed copy for this plugin under ~/.codex/plugins/cache/... so the next install uses the latest staged files
  • creates or updates the local marketplace entry

The staged source bundle lives at:

~/.agents/plugins/.codex/plugins/tasktrace-mcp

and creates or updates:

~/.agents/plugins/marketplace.json

with a marketplace entry whose source.path is the documented marketplace-root-relative path:

"./.codex/plugins/tasktrace-mcp"

Codex then creates the actual installed copy under its plugin cache. If the plugin was previously installed, the installer will already have removed the stale cached copy so this install behaves like a clean reinstall. The staged source bundle includes .codex-plugin/plugin.json, .mcp.json, and the required assets/ files, and registers the same local stdio server:

/Applications/TaskTrace.app/Contents/MacOS/TaskTrace --mcp-stdio

Generic .mcp.json

Use the included .mcp.json as a starting point for clients that support project-scoped MCP server config files.

Versioning

This repo includes semver and a version sync helper.

To set a new release version:

npm install
npm run set-version -- 0.1.1

That command validates the input as semver and syncs:

  • package.json
  • .codex-plugin/plugin.json
  • .claude-plugin/plugin.json
  • .cursor-plugin/plugin.json

The same script also writes .release-version.env for CI with:

  • RELEASE_VERSION
  • NPM_DIST_TAG
  • PACKAGE_TARBALL

Deploying changes

  1. Update .claude-plugin/plugin.json, .cursor-plugin/plugin.json, .codex-plugin/plugin.json, .codex-plugin/marketplace.json, .mcp.json, and this README as needed.
  2. Install dependencies:
npm install
  1. If you are cutting a release, bump the version with semver validation:
npm run set-version -- 0.1.1
  1. Build the release artifact:
npm pack
  1. Smoke test the generated archive with OpenClaw:
openclaw plugins install .
openclaw gateway restart
openclaw plugins inspect tasktrace-mcp

Confirm the plugin is reported as a bundle and that its bundled MCP server is present.

  1. Smoke test the Claude plugin layout locally:
claude --plugin-dir .