taskboard-cli Security Report — Trusted | ClawSafe

5 /100

taskboard-cli

Lightweight SQLite-backed task management CLI for multi-agent workflows

A straightforward SQLite-backed task management CLI with no network calls, no credential access, no shell execution, and clean standard-library-only implementation that matches its documented behavior.

Skill Nametaskboard-cli

Duration32.7s

Enginepi

✓

Safe to install

This skill is safe to use. The code performs exactly as documented with no hidden behavior. Minor doc inconsistencies between reference files and implementation do not represent security risks.

Findings 1 items

Severity	Finding	Location
Low	Reference doc describes a different tool variant Doc Mismatch references/taskboard-setup.md documents a JSON-based taskboard (taskboard.json, --assignee flag) but scripts/taskboard.py is SQLite-based with different CLI flags. This is a cosmetic documentation drift, not a security issue — the actual skill implementation matches SKILL.md accurately. Tasks are stored in `taskboard.json` → Update references/taskboard-setup.md to match the SQLite implementation, or consolidate into SKILL.md to avoid confusion.	`references/taskboard-setup.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	taskboard.py:35-42 — sqlite3.connect() writes to scripts/taskboard.db
Network	`NONE`	`NONE`	—	No urllib, requests, http.client, socket, or subprocess calls anywhere in taskbo…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or popen calls in taskboard.py
Environment	`NONE`	`NONE`	—	No os.environ access; default --author is hardcoded literal 'paimon'
Skill Invoke	`NONE`	`NONE`	—	No skill invocation or dynamic import calls
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser or web automation
Database	`WRITE`	`WRITE`	✓ Aligned	taskboard.py:32-47 — full SQLite CRUD via sqlite3, schema auto-initialization

1 findings

🔗

Medium External URL 外部 URL

https://discord.com/api/webhooks/...

references/webhook-integration.md:54

File Tree

6 files · 29.6 KB · 935 lines

Python 1f · 496L Markdown 4f · 394L SQL 1f · 45L

├─ ▾ 📁 references

│ ├─ 📝 github-backend.md Markdown 97L · 2.9 KB

│ ├─ 📝 taskboard-setup.md Markdown 141L · 3.4 KB

│ └─ 📝 webhook-integration.md Markdown 63L · 1.8 KB

├─ ▾ 📁 scripts

│ ├─ 📄 schema.sql SQL 45L · 1.6 KB

│ └─ 🐍 taskboard.py Python 496L · 16.3 KB

└─ 📝 SKILL.md Markdown 93L · 3.5 KB

Security Positives

✓ Uses only Python standard library (sqlite3, argparse, json, pathlib, datetime) — no external dependencies

✓ No network calls of any kind — confirmed by grep for urllib, requests, http, socket, subprocess

✓ No credential or environment variable access

✓ No shell execution (subprocess, os.system, popen)

✓ SKILL.md accurately describes all actual functionality

✓ SQLite schema auto-initializes safely with CREATE TABLE IF NOT EXISTS and idempotent migrations

✓ Input parameters bound via parameterized queries — no SQL injection risk

✓ Audit trail (task_updates table) records all field changes with author attribution

✓ Discord webhook reference is purely informational in a reference doc, not implemented in the skill code

Scan Report

Findings 1 items

File Tree

Security Positives