task-os
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill directs the agent to execute shell commands that incorporate raw user input, such as
task add project:inbox "The thing they said". If the agent does not properly escape shell-active characters like;,&&, or backticks, an attacker can execute arbitrary commands on the host system via crafted task descriptions.- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection because it ingests untrusted data from user inputs and repository logs without boundary markers or sanitization. Specifically, malicious instructions stored in Taskwarrior descriptions or Git history could be interpreted as commands by the agent during the 'Orient' or 'Periodic check-in' phases.- [DATA_EXFILTRATION] (MEDIUM): The use ofgit -C <repo-path>allows the agent to access arbitrary file system paths. While no network exfiltration is explicitly scripted, this capability facilitates the exposure of sensitive repository data and local file structures to the agent's context.
Recommendations
- AI detected serious security threats
Audit Metadata