dev-task-queue
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires cloning an external repository from
git@github.com:OlechowskiMichal/agent-task-queue.gitto the user's home directory (~/.agent-task-queue). - [REMOTE_CODE_EXECUTION]: The skill establishes a workflow where unverified Python scripts (e.g.,
add_task.py,claim_task.py) are executed from a cloned repository. This allows any changes made to the remote repository to result in arbitrary code execution on the host system during subsequent skill usage. - [DATA_EXFILTRATION]: The system is designed to push task updates to a remote git repository. Because tasks can contain sensitive information such as project details, context notes, and references to Claude conversation transcripts (
conversation.jsonl), this behavior effectively exfiltrates that data to a remote server. - [COMMAND_EXECUTION]: The skill instructions direct the agent to use
python3andgitcommands to manage tasks and the underlying storage repository. - [PROMPT_INJECTION]: The skill processes task metadata (subjects, descriptions, and notes) which act as indirect prompt injection surfaces. If the remote repository or task data is compromised, malicious instructions could be embedded in these fields to influence the agent's behavior when it lists or claims a task.
- Ingestion points:
list_tasks.pyandclaim_task.pyread task files from the repository. - Boundary markers: None identified in the provided documentation or schema.
- Capability inventory: Subprocess execution via Python scripts, git network operations (push/pull).
- Sanitization: No evidence of sanitization for task descriptions or context notes before they are processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata