ClawHub

gtasks-cli

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is mostly a coherent Google Tasks CLI helper, but it includes instructions that could expose an OAuth secret and an unsafe cleanup example that may delete the wrong task list.

Review this skill before installing. Use it only for Google Tasks actions you explicitly request, install the gtasks binary from a trusted release, do not let the agent print OAuth secrets, and avoid the advanced test cleanup script unless it is fixed to delete only a verified test list with your confirmation.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI03: Identity and Privilege Abuse
What this means

Your Google OAuth client secret could be displayed or retained in logs unnecessarily.

Why it was flagged

The quick-reference section is labeled as a run-first system check and tells the agent/user to print the OAuth client secret, which can expose credential material in terminal output, transcripts, or logs.

Skill content
# Check environment variables (macOS/Linux)
echo $GTASKS_CLIENT_ID
echo $GTASKS_CLIENT_SECRET
Recommendation

Do not echo secrets. Check only whether variables are set, for example with a redacted presence test, and update the skill metadata to accurately declare the required credentials.

Medium
#ASI02: Tool Misuse and Exploitation
What this means

Copying or running the test script could delete the wrong Google Tasks list and its tasks.

Why it was flagged

The cleanup script creates a test list but then deletes whatever task list is selected by fixed input "1", suppressing the interactive review that the normal delete flow depends on.

Skill content
test_list_creation() {
  TEST_LIST="Test_$(date +%s)"
  gtasks tasklists add -t "$TEST_LIST"

  if gtasks tasks view -l "$TEST_LIST" &> /dev/null; then
    echo "✓ List creation working"
    gtasks tasklists rm <<< "1"  # Cleanup
Recommendation

Remove this scripted deletion or require explicit user confirmation and a verified target list before any task-list delete operation.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

You need to install and trust a separate gtasks binary before the skill can work.

Why it was flagged

The skill depends on an external CLI binary that is not included or pinned by an install spec. This is expected for the stated CLI wrapper purpose, but users must trust and verify that external download.

Skill content
Download the binary for your system from [GitHub Releases](https://github.com/BRO3886/gtasks/releases)
Recommendation

Install only from the intended repository, prefer a pinned release, and verify checksums or signatures if available.

Low
#ASI10: Rogue Agents
What this means

A scheduled script could continue checking your tasks in the background until you remove it.

Why it was flagged

The advanced reference suggests a recurring scheduled reminder script. It is disclosed and purpose-aligned, but it would keep accessing Google Tasks after the initial setup.

Skill content
# Add to crontab: 0 9 * * * /path/to/task-reminder.sh
Recommendation

Only add scheduled jobs intentionally, document them, and remove them when no longer needed.