Security Audit

taskmaster

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

taskmaster received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include User-controlled input directly used as sub-agent prompt, Sub-agents request broad `file_io` tool access by default.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	User-controlled input directly used as sub-agent prompt The `TaskMaster` skill takes user-provided task descriptions (e.g., from `SKILL.md` examples like 'Research PDF processing libraries') and passes them directly as the primary prompt (`task_description`) to a newly spawned sub-agent via the `sessions_spawn` primitive. This creates a direct prompt injection vector, allowing an attacker to manipulate the sub-agent's behavior by crafting malicious instructions within the task description. While the `analyze_complexity` function parses the description for model selection, the full, untrusted description is still passed to the sub-agent for execution. Implement robust input sanitization or a clear separation between user-provided task content and system instructions for the sub-agent. Consider using a structured input format for tasks that limits the ability to inject arbitrary instructions. If direct prompting is unavoidable, ensure the host LLM has strong guardrails and is resistant to prompt injection.	LLM	scripts/delegate_task.py:109
HIGH	Sub-agents request broad `file_io` tool access by default The `delegate_task.py` script, when generating the `sessions_spawn` command for sub-agents, includes `file_io` as a default tool. This is indicated by the example in the `generate_spawn_command` comment: `"tools": ["web_search", "file_io"]`. Granting broad `file_io` access to sub-agents, especially when their prompts are user-controlled (via `task_description`), creates a significant security risk. A malicious user could craft a task description that instructs the sub-agent to read sensitive files or write malicious content to the filesystem. Review and restrict the default tools provided to sub-agents. If `file_io` is necessary, implement strict sandboxing, path restrictions, and explicit user confirmation for sensitive file operations. Avoid granting `file_io` by default; instead, require explicit declaration for tasks that genuinely need it, and limit its scope.	LLM	scripts/delegate_task.py:30

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/99423412c1f52eed.svg)](https://skillshield.io/report/99423412c1f52eed)