Google Tasks
v1.0.0Fetch, display, create, and delete Google Tasks using the Google Tasks API. Use when the user asks to check, view, list, get, add, create, remove, or delete their Google Tasks, to-do lists, or task items. Handles OAuth authentication automatically using bash script with curl and jq.
⭐ 1· 2k·7 current·7 all-time
byAddo.Zhang@addozhang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill name/description match the implementation: scripts call the Google Tasks REST API and perform create/list/delete operations. Minor incoherence: the registry metadata declares no required binaries/env, but SKILL.md and the scripts require curl, jq and (for the auth helpers) Node.js or Python and a local credentials.json/token.json. package.json lists google-auth-library and googleapis, yet there is no automated install spec — this is plausible but should be documented to users.
Instruction Scope
SKILL.md instructs the agent to run local bash/node/python scripts, open a browser for OAuth, and store token.json in the workspace root. The runtime behavior is limited to reading/writing credentials.json and token.json and calling Google endpoints (accounts.google.com, oauth2.googleapis.com, tasks.googleapis.com). There are no hidden external endpoints, obfuscated code, or instructions to read unrelated system files.
Install Mechanism
There is no install spec in the registry (instruction-only), which is low risk. The repo contains package.json dependencies for Node; the README suggests running npm install, but there's no automated installer. All code is local and uses standard, well-known hosts (Google). No downloads from untrusted URLs or extract semantics were found.
Credentials
The skill requests no environment variables, and it uses local credential files (credentials.json and token.json) rather than injected secrets — this is proportionate to a Google OAuth flow. Users should note that token.json contains access/refresh tokens and credentials.json contains client_id/secret; both are sensitive and must be protected (the project includes a .gitignore entry for them).
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It writes only its own token.json in the workspace root and starts a temporary local HTTP server for the OAuth redirect (port 3000). It does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says, but before installing or running it: 1) Review and never commit credentials.json or token.json — these contain your client secret and tokens. 2) Run npm install (or otherwise install Node/Python) before using the Node/Python auth helpers; inspect package.json dependencies. 3) The auth flow starts a local HTTP server (port 3000) and opens your browser to complete OAuth — ensure that behavior is acceptable. 4) If you prefer, run the scripts manually the first time to observe what they do; verify all network calls are to Google endpoints (accounts.google.com, oauth2.googleapis.com, tasks.googleapis.com). 5) If you will use this in a shared environment, consider creating a dedicated OAuth client with minimal scopes and adding only required test users in Google Cloud Console.Like a lobster shell, security has layers — review code before you run it.
latestvk974ez1rw62w79gn869fmbhqnd80nzjr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.