import-todos

This SKILL.md is coherent with its stated purpose: discover TODO/FIXME comments using a local CLI (`taskmd`), present them to the user, and create tasks via an add-task Skill when the user selects them. There are no direct signs of malicious behavior (no remote downloads, no hardcoded credentials, no obfuscated code). The main security considerations are operational: (1) ensure $ARGUMENTS are passed to Bash safely to avoid shell injection in agents that interpolate them unsafely, (2) be aware that TODO comments can contain secrets which this flow will surface and forward to the add-task Skill, and (3) trustworthiness of third-party components (`taskmd` CLI and the add-task Skill) — if those are compromised they can exfiltrate data or perform unwanted actions. Overall risk is low-to-moderate due to these supply-chain and accidental-data-exposure vectors.