Persistent task ledger for agent coordination. Plan multi-step work, checkpoint progress across session boundaries, and coordinate across multiple agents wit...
Security Analysis
high confidenceThe skill is an instruction-only wrapper for the hzl CLI and its requirements and instructions are consistent with the described purpose of providing a persistent task ledger for agents.
Name/description match the required binary and install options (hzl via Homebrew or npm hzl-cli). No unrelated credentials, config paths, or unrelated binaries are requested.
SKILL.md instructs the agent to run hzl CLI commands (project/task/lease workflows) which is appropriate for a task ledger. It explicitly warns about destructive commands (hzl init --force, prune --yes). This is expected, but the agent will be able to run commands that modify or delete local task data — the skill correctly warns to require explicit user consent before destructive actions.
Installers are standard package sources: Homebrew formula 'hzl' and npm package 'hzl-cli'. Both are reasonable for a CLI tool; no arbitrary download URLs or extract-from-unknown-host steps are present.
No environment variables, credentials, or config paths are required. The skill does not request unrelated secrets or system-wide access.
always is false and the skill is user-invocable. Model invocation is allowed (platform default). The skill does not request permanent system-wide presence or modify other skills' configs.
Guidance
This skill is coherent: it simply teaches an agent how to use the local 'hzl' CLI. Before installing or allowing the agent to use it, verify you trust the hzl Homebrew formula / npm package sources (review the GitHub project if needed). Be aware the agent will run commands that can modify or permanently delete local task data (e.g., 'hzl init --force' or 'hzl task prune --yes'); require explicit user confirmation before allowing destructive commands. If you are cautious about autonomous changes, consider restricting autonomous use (require user permission for run actions that change data) or audit the commands the agent runs during initial sessions. If you expect multi-agent/shared usage, back up any important ledger data before experimentation.
Latest Release
v2.10.0
- Documentation updated in SKILL.md with minor edits. - No changes to features or functionality; content and CLI usage remain the same. - All core instructions and workflows are unchanged for this release.
More by @tmchow
Published by @tmchow on ClawHub
