registry  /  taskherder  /  0.1.7

taskherder@0.1.7

Herd scheduled task lanes across projects, containers, and hosts — run OS commands and AI agents (Claude/Codex/Copilot) on a schedule, with manual gates, git-branch isolation, per-account auth, and an optional web console.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `taskherd install`, configures/runs a task, or starts `taskherd serve`.
Impact
A consenting user can grant scheduled agents broad local execution; the install command modifies the user's Claude integration surface.
Mechanism
Explicit agent integration registration and user-configured command/AI execution.
Rationale
The package is not shown to be malicious, but it performs explicit user-scope AI-agent registration and provides a dangerous scheduled execution capability. Per firewall policy, this merits a warning rather than a block.
Evidence
package.jsonbin/cli.mjsbin/mcp.mjssrc/executor.mjssrc/providers.mjssrc/serve.mjsskill/task
Network endpoints1
127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/cli.mjs` `taskherd install` registers `taskherd` in Claude's user-scope MCP configuration.
  • `bin/cli.mjs` links bundled `skill/task` into the user's Claude skills directory after explicit command invocation.
  • `src/providers.mjs` schedules AI CLIs with permissive built-in defaults, including Claude `bypassPermissions` and Copilot `--allow-all-tools`.
  • `src/executor.mjs` runs configured command/AI steps via a PTY and writes generated MCP config for scheduled AI runs.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; its only lifecycle script is `prepublishOnly`.
  • Agent configuration mutation is confined to the explicit `taskherd install` command and refuses to overwrite a foreign skill link.
  • No source evidence of credential harvesting, telemetry, remote payload download, obfuscation, eval, or outbound exfiltration.
  • `src/serve.mjs` uses a generated token and the CLI defaults the web console to loopback; shell/GFX access requires explicit flags.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 396 KB of source, external domains: 127.0.0.1, github.com

Source & flagged code

1 flagged · loading source
src/paths.mjsView file
11export function taskherdHome() { L12: if (process.env.TASKHERD_HOME) return path.resolve(process.env.TASKHERD_HOME); L13: return path.join(os.homedir(), '.taskherd'); L14: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/paths.mjsView on unpkg · L11

Findings

2 Medium6 Low
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/paths.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings