list-tasks

The skill's stated purpose is benign (listing tasks), but its implementation is unsafe. Directly interpolating user-controlled $ARGUMENTS into a Bash-executed command creates a high-severity command injection vulnerability. There is also medium supply-chain risk from an unverified `taskmd` binary and an excessive permission scope (Bash access). Recommend immediate remediation (avoid shell interpolation, enforce argument allowlist, restrict tooling and verify binary provenance) before running this skill in sensitive environments.