vikunja
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/vikunja_tool.pyexecutes a local sibling tool (joplin_tool.py) usingsubprocess.runto facilitate task synchronization. - Evidence: The
_call_joplinfunction constructs a command list starting with["uv", "run", ...]to call the target script. - Analysis: The command is executed using a list format without a shell, which mitigates argument injection risks. This is a standard and acceptable integration pattern for cross-skill communication.
- [EXTERNAL_DOWNLOADS]: The skill declares dependencies on reputable Python packages in
scripts/pyproject.tomland useshttpxfor network communication. - Dependencies:
httpx,click. - Analysis: These are well-known, established libraries used according to their intended purposes (network requests and CLI parsing). Network operations are limited to user-configured API endpoints and local services.
- [CREDENTIALS_UNSAFE]: The skill manages API tokens via a local configuration file.
- Evidence: The script reads
api_tokenandtokenfromagent_config.tomlfor authenticating with Vikunja and Joplin services. - Analysis: This approach aligns with the platform's standard security practices for secret management, avoiding hardcoded credentials while maintaining necessary authentication for the target services.
Audit Metadata