google-tasks
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/refresh_token.jsutilizeschild_process.execto launch the system's default web browser during the OAuth 2.0 authorization flow. This is used specifically to open platform-appropriate binaries likeopen,start, orxdg-openwith an escaped authorization URL. - [EXTERNAL_DOWNLOADS]: The skill communicates with official Google service endpoints (
tasks.googleapis.comandoauth2.googleapis.com) for task management and token refreshment. These are well-known, trusted technology services. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it processes task titles and notes that could originate from external sources.
- Ingestion points: Data enters the agent context through
scripts/get_tasks.sh(retrieving tasks from the API) andscripts/create_task.sh(taking user-provided strings). - Boundary markers: The skill does not use explicit delimiters to isolate retrieved task content from the agent's instructions.
- Capability inventory: The skill can execute subprocesses (
curl,jq) and perform file-write operations to maintain thetoken.jsonfile. - Sanitization: The bash scripts utilize
jqwith the--argflag for JSON construction, ensuring that task content is properly escaped and cannot break the structure of API requests.
Audit Metadata