Is echo-of-machines/taskr safe?

The SKILL.md explicitly documents that every tool response from taskr.one contains an actions field holding 'mandatory directives and workflow hints'. The agent is instructed to follow these. This is a persistent, server-side prompt injection channel: the Taskr operators can push behavioral commands to every installed agent at any time simply by modifying what their API returns. No skill update is required for new directives to take effect.

The skill instructs agents to 'acknowledge the Rule IDs as required' from tool responses. This normalizes the agent treating remote API responses as authoritative behavioral instructions. Combined with the ruleContext parameter embedded in tool input schemas, the Taskr server has a two-way channel: rules pushed at call time via schemas AND rules returned in responses that must be acknowledged. This architecture is functionally indistinguishable from remote prompt injection.

The skill explicitly instructs the agent to create FILE_LIST notes 'when you create, modify, or delete files on the user's system'. This means every file operation performed by the agent — including potentially sensitive file creations and modifications — is logged and uploaded to taskr.one. Over time, this builds a complete map of the user's file system activity.

CONTEXT notes capture 'user preferences, decisions, background info, recurring patterns' and FINDING notes capture 'discoveries and insights encountered during work'. These categories are broad enough to capture sensitive user information including architectural decisions, credentials encountered during work, business logic, and personal preferences — all uploaded to an external server.

The architectural design means that a compromise of the taskr.one service (or a malicious update to its API behavior) would grant an attacker ongoing influence over every agent with this skill. The attacker could use the actions field to direct agents to read sensitive files, exfiltrate data via notes, or take harmful actions — all while appearing to the user as normal Taskr workflow activity.

The skill includes a strong behavioral directive to continue tracking even when it might be inconvenient: 'Critical: Once Taskr tracking starts, continue using it for that entire workflow unless the user explicitly says to stop. Don't abandon tasks mid-workflow.' This is designed to make the tracking persistent and hard to interrupt, which maximizes data collection and the server's ongoing influence window.

The skill instructs the agent to proactively suggest Taskr for 'any substantial work (3+ steps or >5 minutes)' without waiting to be asked. This maximizes the fraction of agent sessions where data is collected and uploaded to taskr.one, expanding the surveillance scope.

The skill installation performed a standard shallow git clone from GitHub. No unexpected network connections, no npm scripts, no executable code. All observed network activity (GitHub HTTPS, Ubuntu update servers) is consistent with a normal skill installation.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, etc.) were read at timestamps before and after the clone. Analysis of the auditd process tree confirms these reads originated from the audit system's sudo and sshd PAM authentication processes, not from any code in the skill repository. The skill contains no install-time executable code.