Back to skill

Security audit

Google Tasks

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Google Tasks integration, but it can change live tasks and stores OAuth tokens locally, so users should handle it carefully.

Install only if you are comfortable granting read/write access to your Google Tasks. Keep credentials.json and token.json private, avoid shared or committed workspaces, and ask the agent to list or confirm the exact task before running deletion commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documents shell scripts that perform network access, read OAuth tokens, and rely on local configuration, but it declares no permissions or capability boundaries. This can mislead users and policy systems about what the skill can do, reducing informed consent and making review or sandboxing less effective.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users how to delete tasks but does not clearly warn that deletion is destructive and may be irreversible. In an agent-driven context, where actions may be triggered quickly or through natural language, missing warnings increase the chance of accidental data loss.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger language is very broad and overlaps with common requests like checking, adding, or deleting tasks and to-do items. That increases the chance the skill is invoked in situations the user did not specifically intend, which is especially risky because the skill supports destructive task deletion and authenticated API actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes direct deletion commands for tasks without emphasizing confirmation, reversibility limits, or user verification before destructive operations. In a skill that can act on authenticated personal data, this increases the risk of accidental or unintended deletion.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup documentation instructs users to save OAuth tokens to `token.json` and notes that subsequent runs will reuse and refresh those credentials, but it gives no warning that this file contains sensitive bearer/refresh tokens that must be protected. If the file is exposed through weak file permissions, source control commits, backups, or shared environments, an attacker could reuse the tokens to access the user's Google Tasks data until revoked or expired.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The OAuth exchange writes access and refresh tokens to token.json on disk without any explicit warning, consent, or mention of storage protections. Persistent token storage creates credential exposure risk if the file is readable by other local users, checked into source control, or left unprotected on disk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script automatically launches the browser via a subprocess without user confirmation. This can surprise users and, in automation or remote environments, may trigger unintended local actions or mask the fact that external authentication is being initiated.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"keywords": ["google-tasks", "tasks", "todo", "productivity", "bash", "oauth"],
  "license": "MIT",
  "dependencies": {
    "google-auth-library": "^9.0.0",
    "googleapis": "^144.0.0"
  }
}
Confidence
90% confidence
Finding
"google-auth-library": "^9.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "google-auth-library": "^9.0.0",
    "googleapis": "^144.0.0"
  }
}
Confidence
90% confidence
Finding
"googleapis": "^144.0.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/refresh_token.js:133

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/refresh_token.js:44