Is brettburbidge/taskline safe?

https://github.com/openclaw/skills/tree/main/skills/brettburbidge/taskline

88
SAFE

The taskline-ai skill is a legitimate task management integration for mytaskline.com with no prompt injection, no malicious code execution patterns, and clean install behavior confirmed by monitoring. The primary concerns are architectural rather than adversarial: the skill sends all task data (including potentially sensitive business information) to an external SaaS platform by design, stores the API key in plaintext, and the primary creation script (create_task_enhanced.py) could not be fully audited due to truncation in the evidence. Canary files remain intact and no unauthorized credential access was observed.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 84/100 · 5%

Findings (7)

MEDIUM API key stored in plaintext config file -10

The user's mytaskline.com API key is stored in references/config.json as a plaintext string with no OS-level secret storage. Any process with read access to the skill directory can extract the credential. Additionally, if an agent with filesystem access is compromised, this key is trivially readable.

MEDIUM All task content exfiltrated to third-party SaaS by design -10

Every task operation sends task titles, descriptions, project names, and people's names to mytaskline.com via its API. For users managing sensitive professional information (business projects, personnel, deadlines), this represents deliberate data egress to a service outside the user's control. This is the declared purpose of the skill but warrants explicit user awareness.

LOW subprocess.run() dispatches user-controlled text as process arguments -7

taskline_ai.py passes the raw natural language request string as subprocess arguments to child Python scripts. While list-based subprocess invocation prevents shell injection, this means an LLM could be prompted to pass unusual inputs through the skill execution chain. No exploit path is apparent given the child scripts only use the input for NLP parsing.

LOW create_task_enhanced.py source truncated — partial audit only -10

The source code for create_task_enhanced.py (the primary AI task creation script invoked by the dispatcher) is truncated at the find_or_create_project function, preventing complete static analysis. The visible portion follows benign patterns consistent with the other scripts, but full verification is not possible.

LOW API documentation references localhost:5173 instead of production endpoint -5

references/api_examples.md documents all API calls using http://localhost:5173 (a common Vite dev server port) rather than the production mytaskline.com URL. The active scripts correctly use the baseUrl from config.json, so this has no behavioral impact. However, it suggests the skill was developed against a local proxy or development server and raises mild questions about the development environment.

INFO Install via monorepo sparse-checkout is normal ClawHub pattern 0

The skill was installed by cloning the openclaw/skills monorepo with --depth 1 --no-checkout, then using git sparse-checkout to extract only the taskline subdirectory. This is the expected ClawHub installation mechanism and leaves no residual clone artifacts.

INFO Canary file syscall events attributable to PAM session init, not skill 0

PATH syscall events for .env, .ssh/id_rsa, and .aws/credentials appear at audit timestamp 1771738900.408, which predates skill installation by approximately 5 seconds. These accesses originate from the PAM/GDM session startup chain visible in the EXECVE log. The canary integrity report confirms all files are unmodified.