ClawHub
Back to skill
v1.1.0

Dex Task Tracking

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:51 AM.

Analysis

This is a simple local task-tracking instruction skill, with minor notes that it persists task details on disk and assumes a trusted dex command is available.

GuidanceThis skill appears benign and purpose-aligned for local task tracking. Before installing or using it, make sure the `dex` command on your machine is the intended trusted tool, and remember that task descriptions, context, and results will be saved under `.dex/tasks/` until deleted.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
dex create -d "Description" --context "Background, goal, done-when"

The runtime instructions rely on a `dex` command, while the provided artifacts include no install spec or required-binary declaration. This is a provenance/completeness note rather than evidence of unsafe behavior.

User impactIf another unrelated `dex` command is installed or the intended CLI is missing, the skill may fail or run a tool the user did not expect.
RecommendationBefore using the skill, confirm that `dex` is installed from a trusted source and is the expected task-tracking CLI.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Tasks stored as JSON files in .dex/tasks/.

The skill deliberately persists task descriptions, context, and results across sessions in local files, which can include project details or follow-up instructions.

User impactTask context may remain on disk and be referenced later, so sensitive details entered into tasks could persist beyond the immediate session.
RecommendationAvoid putting secrets, credentials, or highly sensitive information in task descriptions or context, and review `.dex/tasks/` when cleaning up project data.