Flatnotes + Tasks.md GitHub Audit
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned audit skill, but it reads local task/notes data and uses the GitHub CLI, so you should run it only in a trusted workspace.
This skill is reasonable for its stated audit purpose. Before running it, review the script, ensure the default Tasks.md and Flatnotes paths are the ones you intend to scan, check which GitHub account `gh` is using, and avoid sharing the generated tmp reports without reviewing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When run, the skill can execute gh commands in your local environment and use whatever GitHub account the CLI is currently configured for.
The bundled script runs the local GitHub CLI. This is aligned with the stated GitHub reconciliation purpose, but it is still local tool execution.
import { execFile } from 'node:child_process'; ... await execFileP('gh', args, { timeout: 30_000, maxBuffer: 10 * 1024 * 1024, ...opts });Run it intentionally from a trusted directory and verify that gh is authenticated to the intended GitHub account.
The audit may access private GitHub PR metadata that your local gh account can read.
The skill expects to use the local gh authentication state when available. The artifacts show read-oriented PR listing, not token capture or GitHub mutation.
If `gh` is not authenticated, the audit still runs but GitHub checks will be marked as `SKIPPED_GITHUB`.
Make sure the active gh account and repository access are appropriate before running the audit.
The report may include project names, task titles, file paths, missing-link information, and GitHub reconciliation details.
The audit reads local task and note stores, which can contain private project details. This is necessary for the stated purpose, but users should treat generated reports as potentially sensitive.
Tasks.md root: `/home/ds/.config/appdata/tasksmd/tasks` ... Flatnotes root: `/home/ds/.config/appdata/flatnotes/data`
Inspect `tmp/flatnotes-tasksmd-audit.md` and `.json` before sharing them, and override the roots only to directories you intend to audit.
Installation metadata may not warn users that running the skill depends on Node and optionally the GitHub CLI.
The skill is packaged without declared runtime requirements, while SKILL.md instructs running a Node script and using gh. This is an under-declared dependency/provenance issue, not evidence of hidden behavior.
No install spec — this is an instruction-only skill. ... Required binaries (all must exist): none
Confirm Node is expected, review the bundled script before running it, and authenticate gh only if you want GitHub checks performed.