Back to skill

Security audit

Taskr - Persistent Task Planning & Execution for AI Agents

Security checks across malware telemetry and agentic risk

Overview

Taskr is a disclosed cloud task-management skill, but users should treat its API key and stored task notes as sensitive.

Install only if you trust Taskr with the task titles, project context, and progress notes you plan to store. Keep MCP_USER_API_KEY out of chat, logs, notes, and source control; use a separate or scoped project where possible and rotate the key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup section instructs users to obtain an API key and place it into environment/config values, but it does not explicitly warn that the key is sensitive, should not be pasted into chat, committed to source control, or stored insecurely. In an agent skill context, this omission increases the chance of credential leakage through transcripts, shared configs, logs, or repositories, which could allow unauthorized access to the user's Taskr project and task data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.