Habilidades tasknotes Historial de auditorías
📦

Historial de auditorías

tasknotes - 6 auditorías

Versión de auditoría 6

Más reciente Riesgo medio

Jun 28, 2026, 10:23 AM

Static analysis found network access, environment variable access, documented shell commands, and several weak-crypto heuristics. Review confirms the skill uses a local TaskNotes HTTP API and optional bearer token, while the weak-crypto and prompt-injection signals are false positives. Publication is acceptable with a warning because API credentials are read from .env and sent over plain HTTP to the configured local endpoint.

2
Archivos escaneados
447
Líneas analizadas
9
hallazgos
codex
Auditado por
Problemas de riesgo medio (2)
scripts/tasks.py:35-45scripts/tasks.py:49-54SKILL.md:18-23SKILL.md:75-86
Optional API Token Sent Over Plain HTTP
The script loads TASKNOTES_API_KEY from a vault .env file and adds it as a bearer token for requests to the TaskNotes API. The target is intended to be localhost, but plain HTTP and an unvalidated port configuration make credential exposure possible if local configuration is changed or traffic is intercepted on the host.
scripts/tasks.py:126-152scripts/tasks.py:167-189scripts/tasks.py:203-206
Task Data Sent To Local HTTP API
Task titles, details, project names, dates, contexts, and task identifiers are transmitted to the TaskNotes HTTP API. This is core functionality, but it can expose private task content to any process serving the configured local endpoint.
Problemas de riesgo bajo (3)
SKILL.md:25-57SKILL.md:107-121
Documented Shell Commands Are Expected Usage
SKILL.md contains uv run examples for invoking the bundled CLI. These are documentation examples rather than dynamic shell execution in code, so command execution findings are mostly false positives.
SKILL.md:3SKILL.md:46SKILL.md:73-79SKILL.md:116scripts/tasks.py:259-293
Weak Cryptography Heuristics Are False Positives
Static weak-cryptography matches refer to markdown syntax, date examples, or argparse help text rather than cryptographic functions. No evidence found of MD5, SHA1, DES, RC4, or similar weak algorithms being used.
scripts/tasks.py:169-170scripts/tasks.py:203-206SKILL.md:99-111
Reconnaissance Heuristics Are URL Encoding And Task Queries
Static reconnaissance matches point to URL encoding of task identifiers and normal TaskNotes list or options commands. No evidence found of host, network, or system discovery behavior.

Factores de riesgo

⚡ Contiene scripts (1)
scripts/tasks.py:1-4
🌐 Acceso a red (9)
scripts/tasks.py:39 scripts/tasks.py:49-54 scripts/tasks.py:83 scripts/tasks.py:152 scripts/tasks.py:189 scripts/tasks.py:206 scripts/tasks.py:219 scripts/tasks.py:238 SKILL.md:75-86
🔑 Variables de entorno (3)
scripts/tasks.py:30-38 scripts/tasks.py:42-45 SKILL.md:18-23
⚙️ Comandos externos (2)
SKILL.md:25-57 SKILL.md:107-121

Patrones detectados

Environment-Derived HTTP Endpoint And Authorization Header

Versión de auditoría 5

Riesgo bajo

Jan 16, 2026, 05:15 PM

Standard task management tool with minimal risk. All 89 static findings are false positives. Network calls go exclusively to localhost (Obsidian TaskNotes API), not external endpoints. Environment variables are for local configuration only. No dangerous patterns, data exfiltration, or credential exfiltration detected.

3
Archivos escaneados
672
Líneas analizadas
3
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🌐 Acceso a red (1)
scripts/tasks.py:49-66
📁 Acceso al sistema de archivos (1)
scripts/tasks.py:32-35
🔑 Variables de entorno (1)
scripts/tasks.py:37-38

Versión de auditoría 4

Riesgo bajo

Jan 16, 2026, 05:15 PM

Standard task management tool with minimal risk. All 89 static findings are false positives. Network calls go exclusively to localhost (Obsidian TaskNotes API), not external endpoints. Environment variables are for local configuration only. No dangerous patterns, data exfiltration, or credential exfiltration detected.

3
Archivos escaneados
672
Líneas analizadas
3
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🌐 Acceso a red (1)
scripts/tasks.py:49-66
📁 Acceso al sistema de archivos (1)
scripts/tasks.py:32-35
🔑 Variables de entorno (1)
scripts/tasks.py:37-38

Versión de auditoría 3

Riesgo bajo

Jan 10, 2026, 10:23 AM

Standard task management tool with minimal risk. Only communicates with local Obsidian API on localhost. Reads specific environment variables for configuration. No dangerous patterns or data exfiltration capabilities detected.

2
Archivos escaneados
400
Líneas analizadas
3
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🌐 Acceso a red (1)
scripts/tasks.py:49-66
📁 Acceso al sistema de archivos (1)
scripts/tasks.py:32-35
🔑 Variables de entorno (1)
scripts/tasks.py:37-38

Versión de auditoría 2

Riesgo bajo

Jan 10, 2026, 10:23 AM

Standard task management tool with minimal risk. Only communicates with local Obsidian API on localhost. Reads specific environment variables for configuration. No dangerous patterns or data exfiltration capabilities detected.

2
Archivos escaneados
400
Líneas analizadas
3
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🌐 Acceso a red (1)
scripts/tasks.py:49-66
📁 Acceso al sistema de archivos (1)
scripts/tasks.py:32-35
🔑 Variables de entorno (1)
scripts/tasks.py:37-38

Versión de auditoría 1

Riesgo bajo

Jan 10, 2026, 10:23 AM

Standard task management tool with minimal risk. Only communicates with local Obsidian API on localhost. Reads specific environment variables for configuration. No dangerous patterns or data exfiltration capabilities detected.

2
Archivos escaneados
400
Líneas analizadas
3
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🌐 Acceso a red (1)
scripts/tasks.py:49-66
📁 Acceso al sistema de archivos (1)
scripts/tasks.py:32-35
🔑 Variables de entorno (1)
scripts/tasks.py:37-38
← Volver a Skill