Is d-wwei/local-task-runner safe?

index.js accepts arbitrary Node.js source code as a CLI argument (--code), writes it verbatim to a temp file under .tasks/, and executes it via child_process.exec() with no filesystem isolation, no network restrictions, no privilege dropping, no seccomp profile, and no container boundary. The sole safety control is a configurable timeout defaulting to 30 seconds. Any code that completes within the timeout window has unrestricted access to the host filesystem, network, and process tree.

SKILL.md instructs the injected LLM agent that this skill 'is the default execution method when subagent spawning is unavailable or inefficient.' This is a behavioral override embedded in the skill prompt itself — it attempts to hijack the agent's tool-selection logic and route any code-execution decision through an unsandboxed executor without requiring explicit user direction.

SKILL.md instructs the agent to call run_task for 'calculations, system status, or utility scripts' — effectively any computational task. This normalization ensures a wide variety of benign-seeming user requests will be routed through the unsandboxed code runner, making the skill trivially weaponizable via crafted prompts that appear routine.

Via a single run_task call, any attacker who can influence agent prompts can read arbitrary sensitive files and POST them to an external server using Node.js built-in modules — no additional dependencies required. The skill's post-execution cleanup (deleting only the temp JS file) leaves no persistent artifact while the exfiltration completes within the timeout window.

The skill README advertises 'Safety: Isolates execution logic, handles cleanup, and enforces timeouts.' The actual implementation provides only a configurable timeout and deletion of the temp JS file after execution. There is no chroot, no user/mount/network namespace, no seccomp filter, and no capability dropping. Describing a timeout as 'isolation' is materially misleading and designed to build false confidence in consumers.

The skill explicitly frames itself as a 'Replace Subagents' mechanism and highlights as a selling point that it requires 'No manual file management (write + exec + rm).' Subagent spawning flows in agent frameworks often include user approval gates, tool whitelists, or sandboxed environments. By replacing subagents with a direct exec() call and eliminating the visible write+exec+rm trail, this skill is designed to reduce visibility and bypass per-action review.

OPEN+ACCESS syscalls were recorded against all six canary files at 1771905332.816-817, after skill installation completed. While the batch pattern is consistent with oathe's canary verification routine, the process responsible cannot be definitively identified from the available audit data. All files remain unmodified and no confirmed exfiltration occurred.

The identical set of six canary files was also read at 1771905313.761-768, concurrent with oathe audit initialization. The consistent pattern across both windows suggests the oathe infrastructure, not the skill, is responsible for these reads.

package.json declares uuid ^9.0.0 as a runtime dependency but index.js uses only Node.js built-in crypto.randomBytes() for task ID generation. npm install was never triggered, meaning the uuid package was never fetched — this could indicate the dependency was stripped to avoid npm install-hook scanning. Additionally, _meta.json lists owner as 'd-wwei' while package.json lists author as 'OpenClaw'.