ClawHub

Vikunja Tasks

Security checks across malware telemetry and agentic risk

Overview

This Vikunja task skill mostly matches its stated purpose, but a script flaw can let specially crafted search or filter text run local commands, so it needs review before use.

Install only after patching the URL-encoding bug in scripts/vikunja.sh so user text is passed to Python as an argument or environment variable. Use a limited Vikunja token, treat it as a secret, confirm any create/complete/project actions before running them, and enable the cron/Telegram notification only if recurring checks and external task notifications are intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly invokes shell scripts and makes network calls to a self-hosted Vikunja API, but it declares no permissions or capability boundaries. This can cause the agent to perform external actions and data-modifying operations without transparent consent or policy enforcement, increasing the chance of unintended task/project changes or data disclosure.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description uses broad phrases like managing tasks, reminders, and to-do lists, which overlap with many ordinary user requests and can cause the skill to trigger in situations where the user did not intend to use the Vikunja integration. Because this skill can operate on a live self-hosted instance, overbroad routing increases the risk of unintended external actions or exposure of private task data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes commands that can create projects, create tasks, and complete tasks, but it does not warn users that the skill can modify live data on their Vikunja instance. Without an explicit warning, users may treat the skill as read-only and authorize operations they do not realize will persist remotely.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The setup instructions require an API token but provide no guidance on secure handling, storage, redaction, or avoiding accidental disclosure in logs or prompts. This raises the risk of credential leakage, especially in agent environments where environment variables, command history, or transcripts may be exposed.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Hardcoding America/Denver as the timezone for all times can cause task due dates, reminders, and monitoring behavior to be evaluated incorrectly for users in other locales. In a task-management context this can lead to missed or premature notifications and unintended workflow actions, though it is primarily an integrity/usability issue rather than direct compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal