TaskOps
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with the real executor, TaskOps may change local TaskOps files and perform work based on the graph rather than only summarize it.
The documented workflow can dispatch a real agent executor and mutate TaskOps state. This is disclosed and central to the skill, with scoping options such as work-dir, max steps, time limits, and dry-run.
`taskops run <work-dir> ... [--executor dry-run|openclaw-agent] ...`; `the runner is the layer that actually mutates state`
Start with dry-run, set `--max-steps` and timeouts, inspect `taskops next`/`taskops explain`, and only use `--executor openclaw-agent` when you intend real agent execution.
A user or agent could end up running whatever `taskops` binary is present on the system, which may not be the reviewed implementation.
The primary operational CLI is referenced outside the provided skill package, while the supplied install metadata does not define how that CLI is installed or pinned.
`../cli/` — installable `taskops` CLI for `init / validate / summary / show / decompose / refactor / run` plus git-backed vault setup/sync
Verify the installed `taskops` CLI source and version before use, and avoid installing or running an untrusted similarly named package.
Task files, execution logs, and summaries in the selected vault could be pushed to a configured Git remote and shared with others.
The skill documents user-directed Git sync and watch-sync workflows that can propagate local TaskOps vault changes to a remote repository.
`taskops vault-init <vault-dir> --repo-url <url> --branch <branch> --auto-sync true`; `taskops git-sync <vault-dir> --message <message>`; `taskops watch-sync <vault-dir> --debounce-ms 5000`
Use a private/intended repository, review changes before syncing, and avoid enabling auto-sync or watch-sync for vaults containing secrets or unrelated private notes.
Old, incorrect, sensitive, or maliciously edited task files could influence later agent decisions or expose work details inside the workspace.
TaskOps intentionally stores durable task state, execution history, and summaries that future agent work may read and treat as project context.
Canonical state lives in markdown files arranged around `task-groups/`, `snapshots/`, `runs/<run-id>/`; `Task graph = decomposition truth`; `Run graph = execution truth`
Keep TaskOps work directories trusted and scoped, review task/run files before reuse, and avoid storing secrets in task logs or summaries.