Security audit

TaskOps

Security checks across malware telemetry and agentic risk

Overview

TaskOps is a disclosed work-tracking and runner-control skill with powerful git and daemon workflows that are expected for its purpose but should be used deliberately.

Install this only if you want TaskOps to manage file-backed work state and possibly synchronize a chosen vault or repository. Before using git-sync, git-push, vault-init, watch-sync, runner watch, or daemon install, review the target directory for unrelated files or secrets, confirm the remote repository and branch, use dry-run/timeouts for unattended runs, and avoid starting a daemon unless you want persistent local automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill accepts a user-supplied repo URL and branch, then clones, checks out, fetches, and pulls that repository into a local path. For a task-graph management skill, this materially expands scope into arbitrary remote code/content acquisition, which can exfiltrate credentials via git transport, overwrite local workspace state, or bring untrusted repository content into later agent workflows.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The code stages all changes with git add -A and commits them with a caller-provided message, enabling repository-wide mutation well beyond task tracking. In an agent setting, this can sweep unrelated files, secrets, or user changes into a commit and later publish them, creating integrity and confidentiality risks disproportionate to the stated skill purpose.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The CLI exposes git-status, git-pull, git-push, and git-sync commands, turning a task-ops utility into a repository automation tool. In context, that is dangerous because agents may invoke these commands as part of normal workflow and accidentally modify or publish repository contents, especially when paired with the broad commit behavior elsewhere in the file.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal