tasks-sync
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (CRITICAL): The $ARGUMENTS variable is used unquoted in shell commands (ls, mkdir, git add), allowing an attacker to execute arbitrary bash commands on the host system.
- [DATA_EXFILTRATION] (HIGH): The skill accesses sensitive internal session metadata at ~/.claude/tasks/ and moves it to a project directory where it is staged for git, creating a risk of exfiltrating private agent data.
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection risk: 1. Ingestion points: Untrusted task content from TaskList and TaskGet (file: SKILL.md); 2. Boundary markers: Absent; 3. Capability inventory: Bash and Write tools (file: SKILL.md); 4. Sanitization: Absent, as task subjects and descriptions are written directly to files.
Recommendations
- AI detected serious security threats
Audit Metadata