get-task-status

This skill is narrowly focused and benign in intent: it instructs running a local CLI (taskmd) to retrieve task metadata. The main security concern is command-injection risk from interpolating unsanitized user input into a shell invocation (`taskmd status $ARGUMENTS`). There are no download-or-execute supply-chain patterns, no external network endpoints, and no credential-harvesting behavior in the provided content. Mitigations: escape or validate $ARGUMENTS before passing to the shell (or use exec-style invocation without shell interpolation), limit allowed-tools to the specific CLI if possible, and avoid returning sensitive task content without user confirmation. Overall risk is low-to-moderate primarily due to potential command injection and the broad 'Bash' permission.