gtasks-cli
v1.0.2Manage Google Tasks from the command line - view, create, update, delete tasks and task lists. Use when the user asks to interact with Google Tasks, manage t...
⭐ 1· 1.5k·0 current·0 all-time
bySiddhartha Varma@bro3886
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (manage Google Tasks) match the SKILL.md: it uses a gtasks CLI and Google OAuth2. The requested artifacts in SKILL.md (GTASKS_CLIENT_ID, GTASKS_CLIENT_SECRET, ~/.gtasks/token.json) are proportionate to that purpose. However, the registry metadata at the top of the package lists no required env vars or config paths, which contradicts the SKILL.md. That mismatch is noteworthy and could be accidental or a packaging oversight.
Instruction Scope
The SKILL.md instructs only local CLI operations and the standard OAuth browser flow (gtasks login → token saved to ~/.gtasks/token.json). Advanced docs show typical scripting patterns (jq, notify-send, date differences) but these are optional examples. The instructions do not ask to exfiltrate data to third-party endpoints beyond the Google OAuth flow, nor do they reference unrelated system-wide secrets. Still, the doc implicitly assumes presence of tools like jq/notify-send in examples without declaring them.
Install Mechanism
This is an instruction-only skill with no install spec or embedded code. The SKILL.md tells users to download the gtasks binary from the project's GitHub Releases page — a reasonable, common-sense instruction. Because there is no automated installer in the skill, nothing is written to disk by the skill itself.
Credentials
The environment variables and token file the SKILL.md requires (GTASKS_CLIENT_ID, GTASKS_CLIENT_SECRET, ~/.gtasks/token.json) are appropriate for a Google OAuth-based CLI. The concern is that the registry metadata does not declare these required env vars or config paths, meaning the package's declared requirements and the runtime instructions are inconsistent. Users should not supply third-party client IDs/secrets; instead create credentials in their own Google Cloud project.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time persistence. The only persistent artifact mentioned is the OAuth token file (~/.gtasks/token.json) which is normal for an OAuth client. The skill does not request or attempt to modify other skills or system-wide agent settings.
What to consider before installing
The SKILL.md appears to describe a legitimate Google Tasks CLI integration, but the package metadata does not match the runtime requirements. Before installing or using this skill: 1) Confirm the gtasks binary is downloaded from the official GitHub Releases page (inspect the repo and release assets). 2) Create your own OAuth client in Google Cloud (do not reuse someone else's client ID/secret) and set GTASKS_CLIENT_ID and GTASKS_CLIENT_SECRET in a restricted file (chmod 600). 3) Verify the token file is created only at ~/.gtasks/token.json and has strict permissions; revoke tokens/credentials when no longer needed. 4) Be aware advanced examples use jq, notify-send, etc.; install those tools only if you need them. 5) Ask the publisher/registry maintainer why the registry metadata omits the environment and config path requirements — resolve that mismatch before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk97ensx95v750pawc1p0sybtz58205ss
License
MIT-0
Free to use, modify, and redistribute. No attribution required.