Taskify CLI
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate Taskify CLI helper, but users should notice that it installs and uses an external CLI, local Nostr identity, relays, and optional AI forwarding for task data.
Install only if you trust the taskify-nostr package and the relays/backends you plan to use. Use a dedicated profile if possible, keep private keys out of prompts, and ask the agent to confirm before deleting, bulk-clearing, importing, changing relays, or using AI commands on sensitive tasks.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives that external package local execution ability under the user's account.
The skill directs users to install an external npm CLI package. This is disclosed and central to the purpose, but the package is not bundled or pinned in the provided artifacts.
npm install -g taskify-nostr
Verify the npm package and GitHub source before installing, prefer a user-local install on shared systems, and consider pinning a known-good version.
Commands can act as the configured Nostr identity to read, create, update, delete, and sync Taskify data.
The CLI operates using a persistent Nostr identity. The artifact says the skill should not expose private keys, but the installed CLI will still rely on local credential material to publish and manage tasks.
Run the onboarding wizard — it generates or imports a Nostr keypair and stores it securely in the local CLI config
Use a dedicated Taskify/Nostr identity where possible, protect the local CLI config, and never paste private keys into agent prompts or shared environments.
An agent using these commands could remove or alter task records if the user gives broad or ambiguous instructions.
The command reference includes bulk/destructive task and board operations. These are aligned with a task-management CLI, but they can materially change user data.
taskify board clear-completed <board> # delete all completed tasks
Require explicit user confirmation for deletes, bulk clears, imports, relay changes, and board administration actions.
Task titles, notes, or task lists may be shared with an external AI provider if agent subcommands are used.
The skill discloses that AI-assisted commands can send task text to a configured external backend. This is purpose-aligned and warned about, but task data may be sensitive.
`taskify agent` commands forward task text to an external AI backend
Do not use AI subcommands on sensitive boards unless the backend is trusted or self-hosted, and keep relay choices limited to relays you control or trust.