Is jlwrow/taskmaster safe?

https://github.com/openclaw/skills/tree/main/skills/jlwrow/taskmaster

83
SAFE

TaskMaster is a legitimately-conceived AI task delegation and cost optimization skill with no prompt injection, no canary violations, and clean installation behavior. The primary concerns are operational rather than malicious: spawned sub-agent sessions are never cleaned up (cleanup='keep'), task descriptions are logged verbatim to a persistent local file, and the author accidentally shipped real prior usage data in the cost log. The automatic Opus selection triggered by keywords like 'security' or 'audit' creates a cost escalation vector if untrusted content reaches task descriptions.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 79/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 74/100 · 5%

Findings (7)

MEDIUM Spawned sub-agent sessions not cleaned up -15

The generate_spawn_command() method hardcodes cleanup='keep' in all spawn payloads. Every sub-agent session spawned by this skill will remain alive after task completion, accumulating orphaned sessions and potentially consuming quota.

MEDIUM Task descriptions logged verbatim to persistent local file -12

The log_cost() method writes the full task description string to taskmaster-costs.json on every task completion. Over time this accumulates a searchable history of all user tasks, including potentially sensitive instructions.

MEDIUM Pre-populated cost log with real prior usage data shipped in package -9

taskmaster-costs.json is shipped inside the skill package with a real prior task entry (claw_conductor_analysis, 28,000 input tokens, Sonnet model). This reveals the skill was used in production before publishing and that production data was committed to the repo.

LOW Executable Python scripts with runnable main() included -10

delegate_task.py and openclaw_integration.py are fully executable Python scripts. SKILL.md directs the agent to use delegate_task.py for orchestration, which could lead an agent with shell access to execute these scripts directly.

LOW Development environment state (.clawhub/lock.json) committed to skill package -13

The skill includes a .clawhub/lock.json file that lists 'academic-research-hub' as an installed skill dependency. This appears to be the skill author's development environment state accidentally committed, revealing other skills in use.

LOW Cost escalation via keyword-triggered Opus selection -26

The complexity analysis uses regex patterns to auto-assign Opus ($15/$75/M) to tasks mentioning 'security', 'architecture', 'audit', 'review', or 'optimize'. Untrusted content injected into a task description could trigger expensive model selection.

INFO SKILL.md references external scripts as implementation -12

The SKILL.md implementation notes direct the agent to use scripts/delegate_task.py. While not a prompt injection, this creates an implicit instruction to execute code not visible in the SKILL.md itself.