Little Steve Task Manager
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a local task manager, but its documented shell-command interface can be unsafe if chat-provided task titles are inserted directly into the command.
Before installing, know that this skill runs a local Bash script and edits a JSON task file in its own data directory. Use it only if your agent can pass arguments safely rather than pasting raw chat text into shell commands, install jq from a trusted source, and consider clearing the bundled sample tasks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental task title could cause unintended local commands to run if the agent builds the shell command unsafely.
The documented interface encourages composing a shell command with a task title placeholder. If an agent inserts chat text containing shell syntax, such as command substitution, into this double-quoted position, the shell can evaluate it before task.sh receives the argument.
bash {baseDir}/scripts/task.sh add --title "<Title>" --priority P2 --due "2026-03-05" --tags "ops,finance"Invoke the script with a safe argument-array mechanism or robust shell escaping, and avoid directly interpolating raw chat text into shell commands. Consider restricting task titles or adding explicit safety guidance.
Preloaded task data may appear in your task list and should be treated as plain text, not as instructions or commands.
The bundled persistent task database contains a command-shaped task title. The script does not execute it, but the title may be displayed back to the agent or user as persistent context.
"title": "$(rm -rf /)",
Clear or review the bundled tasks after installation, and ensure agents never execute task titles or other task content.
The skill may fail until jq is installed, and users may not see that dependency from registry metadata alone.
The script requires jq even though the supplied registry requirements list no required binaries and there is no install spec.
command -v jq >/dev/null 2>&1 || { echo "jq is required"; exit 1; }Install jq from a trusted package manager if you use the skill, and the publisher should declare jq in the skill requirements.