task-manager

Warn

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The scripts/backup.sh script, executed every 3 minutes via a cron worker, is designed to capture the state of the entire ~/workspace directory and push it to a remote Git repository (origin main). This behavior constitutes a significant data exposure risk, as it automatically transmits local files, source code, and potentially sensitive configuration or credentials stored in the workspace to an external server.
  • [COMMAND_EXECUTION]: Multiple scripts, including scripts/workspace-provision.js, scripts/project-sync-cron.js, and scripts/recurring-work.js, utilize execSync to perform system operations via sqlite3, git, and curl. These scripts construct shell commands using string interpolation of task descriptions, project names, and other metadata without sufficient sanitization. This pattern is highly susceptible to shell command injection if the interpolated data contains shell metacharacters such as backticks or subshell markers ($()).
  • [EXTERNAL_DOWNLOADS]: The scripts/project-sync-cron.js script uses curl to interact with local and remote endpoints to synchronize project data with external GitHub repositories.
  • [PROMPT_INJECTION]: The scripts/backlog-groomer.js and scripts/research-assist.js scripts implement a workflow that ingests untrusted task data and interpolates it into prompts for other AI agents.
  • Ingestion points: Task titles, descriptions, and work notes stored in the SQLite database, which can be populated by user input or synced from external GitHub issues.
  • Boundary markers: None identified; task content is interpolated directly into research prompts without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The skill possesses significant system capabilities, including arbitrary shell execution (execSync), file system modification (fs.mkdirSync), and network operations (git push, curl).
  • Sanitization: There is no evidence of validation or escaping for task content before it is processed by the AI or interpolated into shell commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 22, 2026, 01:56 PM
Security Audit — agent-trust-hub — task-manager