Is bro3886/gtasks-cli safe?

https://github.com/openclaw/skills/tree/main/skills/bro3886/gtasks-cli

87
SAFE

The gtasks-cli skill is a legitimate Google Tasks CLI wrapper with a clean SKILL.md, no injection patterns, no bundled executable code, and an appropriately scoped allowed-tools declaration. Installation was clean with no unexpected network connections, process spawning, or filesystem changes beyond the skill directory; canary file accesses were confirmed to originate from the oathe audit infrastructure rather than the skill. The only material concerns are minor credential-hygiene issues: the skill's troubleshooting path instructs echoing raw OAuth credential values to output, and it recommends persisting credentials to shell profile files in plaintext.

Category Scores

Prompt Injection 86/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW Raw credential value echoed in troubleshooting path -10

The SKILL.md error-handling section instructs the agent to run echo $GTASKS_CLIENT_ID when debugging authentication failures. This prints the raw OAuth client ID to the agent's output, which may be captured in logs, conversation history, or model context. The QUICK-REFERENCE.md similarly lists echo $GTASKS_CLIENT_ID and echo $GTASKS_CLIENT_SECRET as standard diagnostic commands.

LOW Credential persistence to shell profile -8

The skill instructs appending OAuth credentials to ~/.bashrc or ~/.zshrc via echo redirection. While a common practice, this embeds long-lived credentials in plaintext in the user's shell profile, increasing exposure surface if the file is read by other tools or processes.

INFO Canary files accessed by audit infrastructure (not skill) 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, etc.) were accessed twice during the audit window — once at 04:39:51 (pre-clone, audit baseline initialization via sudo) and once at 04:40:11 (post-install verification). Neither access originated from skill code. Canary integrity check confirms all files unmodified.

INFO Third-party binary download required for skill operation -7

The skill requires users to download the gtasks binary from GitHub Releases (github.com/BRO3886/gtasks/releases). The binary is not bundled. Supply-chain risk exists if the release is tampered with, but the instruction is explicit, user-directed, and points to the author's own repository.

INFO Allowed-tools scoped appropriately to gtasks:* 0

The skill declares allowed-tools: Bash(gtasks:*), restricting agent tool use to gtasks subcommands. This is a positive security signal indicating the author correctly scoped the permission surface. No attempt to expand scope through prompt instructions.