Back to skill

Security audit

Taskboard Cli

Security checks across malware telemetry and agentic risk

Overview

The skill is a local SQLite taskboard, with optional documented GitHub and notification integrations that need deliberate user configuration.

Safe to use as a local taskboard. Before enabling GitHub sync, webhooks, Discord notifications, or cron jobs, confirm the exact repository, channel, recipients, and data being shared; use a dedicated least-privilege token and require confirmation before closing or modifying remote issues.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference guide expands the skill from a local SQLite taskboard into a credentialed GitHub integration that requires a repo-scoped token and performs remote API operations. This creates a capability mismatch with the stated 'no external dependencies or credentials' scope, increasing the chance that users or agents will enable networked behavior without appropriate review, consent, or guardrails.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This section instructs the agent to automatically create, modify, comment on, and close GitHub Issues when sync is enabled, which is materially broader than the manifest's local-only description. Undeclared remote-write behavior is dangerous because it can cause unintended external side effects and make operators misjudge the skill's trust boundary.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guide provides concrete instructions for authenticated GitHub API use, including issue creation, updates, closure, and comments via a repo-scoped token. Introducing a credentialed external integration into a skill marketed for local task management broadens the attack surface and may prompt agents to handle secrets and perform network operations outside expected boundaries.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill metadata says status-change hooks emit instructions but do not auto-execute, yet this guide says the agent should perform GitHub-side actions automatically when sync is enabled. That contradiction is risky because users may believe actions are advisory-only while the implementation may actually mutate remote systems.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation describes operational steps to notify Discord channels as part of status changes and cron workflows, which conflicts with the stated model that hooks only emit instructions and do not auto-execute. In a multi-agent environment, this mismatch can cause operators or downstream automation to assume outbound messaging is sanctioned or automatic, increasing the risk of unintended data disclosure, covert exfiltration, or unsafe agent-triggered side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell users to set a repo-scoped personal access token in an environment variable but do not clearly warn that the token is sensitive and must never be printed, logged, committed, or embedded in files. In an agent context, insufficient secret-handling guidance increases the risk of accidental credential exposure through prompts, logs, shell history, or generated config.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide describes automatic remote issue creation, updates, comments, closure, and local taskboard modification without a prominent warning that these actions change external and local state. In a multi-agent workflow, silent state-changing behavior can lead to unintended edits, confusing audit trails, and operational disruption.

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Issue
```bash
curl -X POST https://api.github.com/repos/OWNER/REPO/issues \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  -d '{
Confidence
87% confidence
Finding
curl -X POST https://api.github.com/repos/OWNER/REPO/issues \ -H "Authorization: token $GITHUB_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ -d '{ "title": "TASK-001: Build auth mod

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Issue
```bash
curl -X POST https://api.github.com/repos/OWNER/REPO/issues \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  -d '{
Confidence
87% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Update Issue Status
```bash
# Update labels
curl -X PATCH https://api.github.com/repos/OWNER/REPO/issues/ISSUE_NUMBER \
  -H "Authorization: token $GITHUB_TOKEN" \
  -d '{"labels": ["status:in-progress", "backend"]}'
Confidence
87% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"labels": ["status:in-progress", "backend"]}'

# Close issue (when done)
curl -X PATCH https://api.github.com/repos/OWNER/REPO/issues/ISSUE_NUMBER \
  -H "Authorization: token $GITHUB_TOKEN" \
  -d '{"state": "closed"}'
```
Confidence
89% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Add Comment
```bash
curl -X POST https://api.github.com/repos/OWNER/REPO/issues/ISSUE_NUMBER/comments \
  -H "Authorization: token $GITHUB_TOKEN" \
  -d '{"body": "PR #42 ready for review"}'
```
Confidence
86% confidence
Finding
https://api.github.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.