tasks

The documented Google Tasks skill appears legitimate for its stated purpose (managing Tasks via a Ruby CLI that uses google-apis-tasks_v1 and googleauth). The dominant security issue is operational: a shared, broadly-scoped OAuth token (~/.claude/.google/token.json) used across multiple Google skills introduces significant overprivilege. This design increases the blast radius if any one skill or the runtime environment is compromised. The absence of the actual tasks_manager.rb script prevents verifying there are no covert behaviors (data exfiltration, access to other local secrets, or network calls to non-Google endpoints). Recommended mitigations: (1) require least-privilege OAuth scopes (separate token for Tasks only), (2) protect token files with appropriate OS permissions and optional encryption, (3) pin dependency versions, (4) perform a code review of tasks_manager.rb before deployment, and (5) monitor/stage tokens so compromise of one skill does not reveal access to other services.