TaskTrace MCP
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a disclosed TaskTrace MCP bundle, but installing it can let your agent inspect TaskTrace activity history and screenshots, so users should review the setup commands and privacy implications.
This skill looks purpose-aligned, but install it only if you want an agent to access TaskTrace activity history and screenshots. Verify the local TaskTrace app is trusted, review any npm/GitHub helper scripts before running them, and avoid broad tool-profile changes unless you understand their effect.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An enabled agent may be able to read recent work history and screenshots from TaskTrace.
The skill explicitly gives the agent access to persistent TaskTrace activity data and screenshots, which can contain sensitive private information.
"exposing your work history, activity feeds, and screenshots"
Install only if you trust TaskTrace and want your agent to inspect this data; review TaskTrace privacy settings and use the most scoped/project-specific configuration available.
When the MCP server is enabled, your client can start and communicate with the local TaskTrace app.
The bundle works by launching the local TaskTrace desktop executable as an MCP stdio server. This is disclosed and central to the stated purpose.
"command": "/Applications/TaskTrace.app/Contents/MacOS/TaskTrace", "args": ["--mcp-stdio"]
Make sure the local TaskTrace app is installed from a trusted source before enabling this MCP bundle.
Running this command may enable a broader tool profile in OpenClaw.
The OpenClaw setup example changes the tools profile to full. It is a manual setup command, but users should understand whether it affects tool access more broadly than this plugin.
openclaw config set tools.profile '"full"' --strict-json
Only run the full-tools-profile command if it is required and acceptable for your workspace; otherwise prefer a narrower, project-scoped MCP configuration.
If you follow GitHub/npm setup instructions instead of using only the provided bundle, you may run helper code outside the scanned artifact set.
The package metadata references helper scripts for local Codex installation, but the provided artifact set contains no code files. This is not automatic execution, but source-repo installs may involve code not reviewed in this bundle.
"install:codex-local": "node ./scripts/install-codex-plugin.mjs"
Review any helper scripts in the source checkout before running npm scripts, especially scripts that modify local agent/plugin directories.