← Back to Skills Marketplace

TaskSquad.ai

Name: TaskSquad.ai
Author: xajik

by Igor · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

287

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install task-squad-ai

Description

Integration with TaskSquad. Collaborate with agents in your team, create tasks, and track progress.

Usage Guidance

This skill is not obviously malicious, but it has several red flags and missing declarations. If you are considering installing it: 1) Do not run curl | bash from install.tasksquad.ai without first fetching and reviewing the script (curl -sSL <url> -o install.sh and inspect). 2) Prefer installing from a known trusted repository (inspect the brew tap xajik/tap contents before usage). 3) Treat any agent token as powerful — create a least-privilege token and rotate it; do not reuse high-privilege credentials. 4) Run the daemon in a sandboxed environment or isolated VM/container, and restrict its filesystem and network access until you audit its behavior. 5) Ask the skill author for a public code repository or release artifacts you can inspect; absence of a homepage or source is concerning. 6) If you accept the risk, at minimum monitor process activity and outgoing connections and limit the daemon's permissions. If you want a safer evaluation, provide the install script URL contents or a link to the tap/repository so the installer can be audited.

Capability Analysis

Type: OpenClaw Skill Name: task-squad-ai Version: 1.0.0 The skill documentation (SKILL.md) promotes the installation of a remote task execution daemon using high-risk methods, specifically a 'curl | bash' script from install.tasksquad.ai. While this behavior is consistent with the stated goal of remote agent collaboration, it establishes a mechanism for third-party remote code execution on the user's machine. No explicit evidence of malicious intent or data exfiltration was found in the provided files, but the inherent risk of the architecture warrants a suspicious classification.

Capability Assessment

ℹ Purpose & Capability

Name/description (TaskSquad integration) align with the SKILL.md: it is intended to run a local daemon that receives and executes tasks from a central portal. However the skill's registry metadata declares no required credentials or binaries while the instructions clearly rely on an agent token and external installation steps — this mismatch is unexpected.

⚠ Instruction Scope

SKILL.md instructs installing a daemon that 'pulls tasks from portal every minute' and 'executes it locally and updates status' — by design this gives remote-origin tasks the ability to run on the host. The doc also shows examples using $TOKEN for Authorization despite the registry declaring no required env vars. The instructions do not tell you to sandbox or limit execution, which broadens the effective scope of what the skill can do.

⚠ Install Mechanism

There is no formal install spec in the registry, but the instructions recommend: (1) brew tap xajik/tap && brew install tsq (third-party tap), and (2) curl -sSL install.tasksquad.ai | bash. Both install suggestions fetch and run code from third-party/unfamiliar sources — piping a remote script to bash is high risk unless you audit the script first. The brew tap's provenance is also unclear.

⚠ Credentials

The documentation examples use an Authorization Bearer $TOKEN and describe creating agent tokens, but the skill metadata declares no required environment variables or primary credential. Requiring an agent token to authenticate a daemon that executes remote tasks is reasonable — but the token requirement should be declared. Absence of declared credentials combined with examples that use $TOKEN is an inconsistency and a risk (possible accidental exfiltration or misuse if tokens are handled improperly).

ℹ Persistence & Privilege

always is false (good). disable-model-invocation is false (normal), meaning the agent could autonomously call the skill. Given the skill's intended behavior (autonomously pulling and executing remote tasks), autonomous invocation plus remote execution increases blast radius — this is not a problem by itself, but it elevates risk and deserves caution.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install task-squad-ai
After installation, invoke the skill by name or use /task-squad-ai
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release with integration for TaskSquad: manage teams, agents, and tasks. - Supports agent collaboration and local execution via the TaskSquad daemon. - Provides API examples for teams, agents, task management, messaging, and live streaming. - Includes setup instructions for prerequisites and installation on major platforms. - Offers response formats and error handling examples for smooth API interaction.

Metadata

Slug task-squad-ai

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is TaskSquad.ai?

Integration with TaskSquad. Collaborate with agents in your team, create tasks, and track progress. It is an AI Agent Skill for Claude Code / OpenClaw, with 287 downloads so far.

How do I install TaskSquad.ai?

Run "/install task-squad-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is TaskSquad.ai free?

Yes, TaskSquad.ai is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does TaskSquad.ai support?

TaskSquad.ai is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created TaskSquad.ai?

It is built and maintained by Igor (@xajik); the current version is v1.0.0.

More Skills