actionize

SUSPICIOUS. The skill’s core behavior is mostly aligned with planning and reminders, and its Telegram traffic goes to official endpoints, but it has a larger-than-necessary footprint: raw secret handling in .env, persistent system crontab installation, cross-project history aggregation, outbound Telegram messaging, and CLAUDE.md modification. This looks more like an intrusive productivity automation skill than clear malware.

Likely benign task-management functionality (no network/exfiltration observed), but it contains security-relevant implementation risks: (1) command-line task IDs are interpolated directly into inline Python code without strict numeric validation/quoting, creating a potential Python injection/syntax-manipulation boundary; and (2) task markdown file paths are taken from .status.json (t['file']) with no path sanitization/whitelisting, enabling possible path traversal/symlink misuse if the status file is compromised. Additionally, completed-task descriptions are persisted to ~/.plan/history.jsonl, creating local privacy/retention exposure. Overall: medium-to-high security risk for untrusted inputs/workspaces; low evidence of intentional malware.