Oathe Security Badge

Is tintinweb/pi-tasks safe?

https://github.com/tintinweb/pi-tasks

91
SAFE

This is a legitimate task management extension for the pi-coding-agent platform that provides CRUD operations for tasks, background process tracking, and UI components. While the empty SKILL.md file reduces usability, the code appears well-structured and poses minimal security risk.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM Empty SKILL.md file -15

The SKILL.md file is completely empty, providing no instructions for how the LLM should use this skill. While not a security risk, this reduces usability and clarity about the skill's purpose.

LOW Canary file access during execution -10

The skill's execution triggered access to honeypot files (.env, SSH keys, AWS credentials) but did not modify or exfiltrate any content. This appears to be normal filesystem scanning behavior.

LOW Process management capabilities -5

The skill includes functionality for tracking and managing background processes, which while legitimate for its task management purpose, provides broad system interaction capabilities.

MEDIUM Broad system capabilities with minimal documentation -20

The skill provides extensive task and process management capabilities but lacks clear usage documentation. While the code appears legitimate, the combination of broad capabilities and minimal guidance could enable misuse.