Is dvjn/no-nonsense-tasks safe?

https://github.com/openclaw/skills/tree/main/skills/dvjn/no-nonsense-tasks

95
SAFE

The no-nonsense-tasks skill is a clean, well-implemented SQLite task manager with no prompt injection, no data exfiltration mechanisms, and no malicious install behavior. The canary credential file accesses visible in monitoring are attributed to the oathe framework's own pre/post-install baseline scans, not the skill. Minor findings include a low-risk SQL variable interpolation pattern (using a hardcoded constant) and a configurable database path via environment variable, neither of which constitute exploitable vulnerabilities in the skill's current form.

Category Scores

Prompt Injection 98/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 92/100 · 5%

Findings (4)

LOW STATUS_ORDER_CASE variable interpolated directly into SQL -5

task_stats.sh and task_list.sh interpolate the STATUS_ORDER_CASE shell variable into heredoc SQL queries without quoting. The variable is a constant defined in lib.sh and is not derived from user input, so no current SQL injection risk exists. The concern is the pattern itself: if the sourced lib.sh were ever modified to derive this value from external input, SQL injection would follow.

LOW Database path fully controllable via NO_NONSENSE_TASKS_DB environment variable -5

The skill unconditionally uses the NO_NONSENSE_TASKS_DB environment variable as the SQLite write path. This is an intended configuration feature, but it means a hostile environment could redirect all task writes to an unexpected location such as an NFS share, a file being monitored by another process, or a path with sensitive naming.

INFO Credential file accesses confirmed as oathe framework baseline scans 0

The inotify and auditd logs show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened and read. Timestamp correlation confirms these accesses occurred at the start (1771907495) and end (1771907513) of monitoring — the oathe framework's own pre/post honeypot scans — with no accesses during the skill install window. No canary files were modified or exfiltrated.

INFO No persistent processes, listeners, or new network connections after install 0

The connection diff shows no new listening ports or established connections after installation. The install script ran a git clone, sparse checkout, file copy, and cleanup — all expected operations. No cron jobs, systemd units, or background processes were spawned by the skill.