Todoist Task Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Todoist CLI guide that uses an expected API token and can change Todoist tasks, with no hidden or unrelated behavior found.

Before installing, make sure you trust the Homebrew todoist-cli package, protect ~/.config/todoist/config.json because it contains your Todoist API token, and review any delete, complete, or bulk-modification commands before letting an agent run them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The setup instructions direct users to place a long-lived API token into a local config file without any guidance on file permissions, secret storage, or avoiding shell history and accidental disclosure. This increases the risk of credential theft from overly permissive files, backups, shared machines, or copied dotfiles, which could allow unauthorized access to the user's Todoist account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal