Todoist Task Manager
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to change or delete tasks if the user asks it to use these commands.
The skill documents commands that can modify, complete, or delete Todoist tasks. This is expected for a task manager, but users should be aware it can make persistent account changes.
todoist modify TASK_ID --content "New title" ... todoist close TASK_ID ... todoist delete TASK_ID
Review requested task changes before allowing delete, complete, or bulk modification commands.
Anyone or any process with access to that config file may be able to use the Todoist account through the CLI.
The skill requires a Todoist API token stored in a local config file. This is purpose-aligned for using the Todoist CLI, but the registry metadata does not separately declare a primary credential.
Get your API token from https://app.todoist.com/app/settings/integrations/developer ... echo '{"token": "YOUR_API_TOKEN"}' > ~/.config/todoist/config.jsonStore the token securely, avoid sharing the config file, and revoke or rotate the Todoist token if it may have been exposed.
The installed CLI handles Todoist account access and task operations.
The skill depends on an external Homebrew-installed Todoist CLI. This is disclosed and central to the skill's purpose, but it means users rely on that package's provenance and behavior.
Install: `brew install todoist-cli`
Install the CLI from a trusted Homebrew source and keep it updated.