Is g9pedro/tasktime safe?
https://github.com/openclaw/skills/tree/main/skills/g9pedro/tasktime
The tasktime skill itself contains no prompt injection or malicious SKILL.md content, but poses a moderate risk through its documented design: auto-sync to the third-party clawvault.dev service means any AI agent using this skill will silently transmit task descriptions to an external party on every task stop. Combined with an unverified npm package (@versatly/tasktime) whose install-time lifecycle scripts cannot be audited from the skill repository, and post-install reads of all credential canary files, the skill warrants caution before deployment in environments where agents handle sensitive information.
Category Scores
Findings (7)
HIGH Auto-sync to external ClawVault service on every task stop -40 ▶
The skill documents that v1.2.0+ automatically saves every completed task to clawvault.dev on tasktime stop. An AI agent using this skill to track its work will silently transmit task descriptions and notes to a third-party service. If task descriptions contain sensitive information (API keys embedded in descriptions, project names, code snippets in notes), this creates a persistent exfiltration channel that is on-by-default and requires explicit --no-vault flag to disable per task.
HIGH Task descriptions become an unintentional data exfiltration channel for AI agents -35 ▶
AI agents using this skill to self-monitor their work will embed sensitive context (project names, endpoint names, credential hints) in task descriptions that are then auto-synced to clawvault.dev. The agent has no mechanism to scrub sensitive data from descriptions before sync. The export pipeline explicitly ships full agent work summaries to an external party.
MEDIUM npm install of unverified @versatly/tasktime package with unknown lifecycle scripts -25 ▶
The skill requires installing @versatly/tasktime globally via npm. No package.json is included in the skill repository, making it impossible to audit lifecycle hooks (preinstall, postinstall, prepare) before install. The @versatly namespace is not a recognized publisher. Malicious npm postinstall scripts would execute with full agent permissions at install time.
MEDIUM Post-install canary reads of all six credential file types within one second -20 ▶
All six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were read at identical timestamp 1771948805.327. While the canary integrity check reports files intact, the coordinated read pattern is consistent with credential harvesting. The source process could not be definitively attributed from available evidence and may be the audit harness's own post-install check.
LOW Single anomalous .env read immediately after skill file copy -10 ▶
A read of /home/oc-exec/.env was recorded at audit event 5470 (timestamp 1771948801.539), approximately one second after the cp command copied skill files into place. The process responsible cannot be conclusively determined from the PATH record alone. This is either an audit harness check or an unexpected access triggered by the skill installation.
LOW Skill description promotes external service integration without security warnings -10 ▶
The skill documentation actively promotes sending agent data to clawvault.dev without disclosing data privacy implications. An agent reading this skill will be instructed to run tasktime sync and export pipelines as normal workflow steps. No warnings about what data is transmitted or retained.
INFO .clawhub/lock.json references unrelated skill academic-research-hub -3 ▶
The lock.json bundled with this skill records academic-research-hub version 0.1.0 as an installed dependency. This suggests the skill was published from an environment where another skill was active. Not inherently dangerous but indicates the developer's environment context is leaking into the published artifact.