Is mfaiz-007/unitask-agent safe?

https://github.com/openclaw/skills/tree/main/skills/mfaiz-007/unitask-agent

92
SAFE

The unitask-agent skill is a clean MCP integration for the Unitask task management SaaS. No prompt injection, executable code, malicious install behavior, or canary file exfiltration was detected. The primary residual risk is inherent to the skill's purpose: user task data is transmitted to a third-party service currently in public beta, and the required API token must be stored in the agent environment. All observed sensitive-file accesses during monitoring were attributable to the Oathe audit framework's own baseline checks, not to the skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Task data routed to third-party SaaS in public beta -10

All task management operations transmit user data (task titles, notes, tags, time-block schedules) to unitask.app, a service explicitly described as being in public beta. Public beta services may have weaker security postures, less mature data handling practices, and higher risk of ownership or policy changes. Users should understand that their productivity data will reside on this external platform.

LOW API token stored in agent environment -8

The skill requires UNITASK_API_KEY to be stored in the agent's secret store. If the agent environment is compromised or another malicious skill reads environment variables, this token could be exfiltrated. The skill correctly instructs users never to paste tokens in chat, which mitigates the most common exposure vector.

INFO Canary file reads by audit framework, not the skill 0

Sensitive files (.env, .ssh/id_rsa, .aws/credentials, etc.) were opened at timestamps 1771922987 and 1771923010. Cross-referencing with the process execution log, these reads occur before and after the git clone (which runs at 1771922992) and correspond to the Oathe audit framework's own canary baseline and post-install integrity checks. No reads attributable to the installed skill were observed.

INFO Destructive operations are gated behind confirmation defaults 0

The skill explicitly requires dry_run=true before applying move_subtask and merge_parent_tasks, and instructs the agent to confirm delete operations unless the user has explicitly requested deletion. This reduces the risk of unintentional data loss during normal agent operation.

INFO No prompt injection patterns detected 0

SKILL.md was inspected for all known prompt injection patterns: override instructions, ignore-previous-instructions phrases, hidden unicode, HTML comment tricks, persona hijacking, and unexpected permission escalation. None were found. The skill content is straightforward API documentation.