Safety Report

Dex Task Tracking

Name: Dex Task Tracking
Author: gricha

Task tracking for async/multi-step work. Use dex to create, track, and complete tasks that span multiple sessions or require coordination (e.g., coding agent dispatches, PR reviews, background jobs). Tasks stored as JSON files in .dex/tasks/.

2,062Downloads

6Installs

0Stars

2Versions

File Management2,100 E-Commerce1,690 Project Management1,537 Networking & DNS1,102

Security Analysis

medium confidence

Suspicious0.08 risk

The skill's instructions assume and tell the agent to use a 'dex' CLI and to read/write .dex/tasks JSON files, but the skill metadata provides no install instructions or declared binary requirements — an internal mismatch that should be resolved before trusting it.

Feb 11, 20261 files3 concerns

Purpose & Capabilitynote

The stated purpose (local task tracking stored as JSON in .dex/tasks/) matches the SKILL.md content. However, the SKILL.md relies on a 'dex' CLI tool (commands like dex create, dex list, dex complete) while the skill metadata lists no required binaries or install steps — this is an incoherence (the skill needs a CLI but does not declare or install it).

Instruction Scopenote

Instructions are narrowly scoped to creating, listing, showing, editing, completing, and deleting tasks and to storing tasks under .dex/tasks/{id}.json — all consistent with the described purpose. The SKILL.md does tell the agent to run filesystem-affecting commands (create/edit/delete files in .dex), so the agent will need local file write/read permission; nothing in the instructions asks for unrelated files, credentials, or external endpoints.

Install Mechanismconcern

There is no install specification and no code shipped with the skill, yet the runtime instructions require a 'dex' command-line tool. That gap could cause failures or lead operators to install an unvetted binary themselves. Because the skill is instruction-only, there is no installation risk from the skill bundle itself, but the missing install step is a practical and security concern.

Credentialsok

The skill declares no environment variables, no credentials, and no config paths beyond the .dex/tasks folder it manages. The requested access (local task files) is proportional to the stated purpose.

Persistence & Privilegeok

always is false and autonomous invocation is permitted (platform default). The skill writes to its own .dex/tasks directory per design; it does not request elevated or cross-skill privileges. This level of persistence/privilege is appropriate for a local task-tracking tool.

Guidance

This is an instruction-only skill that expects a 'dex' CLI and stores tasks under .dex/tasks/*.json, but it does not provide or declare that CLI. Before installing or using it: 1) confirm you have a trustworthy 'dex' binary available (know its source and verify it), or request the skill author supply an install spec or source repo; 2) be aware the agent will read/write files in a .dex directory — do not store secrets or sensitive configs in tasks; 3) test in a restricted environment to observe what commands the agent runs; 4) if you cannot verify the origin of the 'dex' tool, treat the skill cautiously or mark it untrusted. The mismatch between required tooling and the skill metadata is the primary concern here.

Latest Release

v1.1.0

Trimmed for conciseness

More by @gricha

Workout

2 stars

Perry Workspaces

2 stars

Perry Coding Agents

2 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Published by @gricha on ClawHub