ClawHub

todoist latest

v1.0.1

Manage Todoist tasks. Use when the user mentions "todoist", "my tasks", "task list", "add a task", "complete task", or wants to interact with their Todoist account.

4· 2.1k·2 current·2 all-time
byKevin Luo@luoandorder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description align with using the 'td' CLI to manage Todoist. However, the skill declares no credentials or config paths even though the described operations write to the Todoist API and read/write a local cache — a Todoist API token or local config is required in practice. The lack of declared credential requirements is inconsistent with the stated capability.
Instruction Scope
SKILL.md only instructs the agent to run the 'td' binary for various operations (list, add, done, sync, etc.). The instructions themselves do not ask the agent to read arbitrary user files or env vars, but they rely entirely on an external binary that will access the network and local cache/config (and therefore user credentials). The skill does not document where those credentials/config live or how they're provided.
Install Mechanism
The install spec uses a Homebrew formula from a third‑party tap (LuoAndOrder/tap/todoist-cli) which creates the 'td' binary. Using Homebrew is reasonable, but the tap is not the official Homebrew/core; that increases supply‑chain risk relative to an official package.
!
Credentials
requires.env is empty and no primary credential is declared, yet the skill's operations 'hit the API directly' and use a local cache. This implies the 'td' binary will rely on a Todoist API token or local config (credentials) that are not disclosed in the skill metadata. That omission prevents users from understanding what secrets or config the skill will access.
Persistence & Privilege
always is false and the skill does not request persistent agent-wide privileges. There's no indication it modifies other skills or system settings.
Scan Findings in Context
[no_regex_findings] expected: The scanner found no code to analyze because this is an instruction-only skill (SKILL.md). That absence is expected but means the security surface is the external 'td' binary and the brew tap rather than code embedded in the skill.
What to consider before installing
This skill is coherent (it delegates Todoist work to the 'td' CLI) but has two practical concerns: (1) it does not declare how the Todoist API token or local config are provided or where they are stored — the 'td' binary will need credentials and will read/write a local cache, so inspect how 'td' authenticates (env vars, ~/.config, etc.) before use; (2) the Homebrew formula comes from a third‑party tap (LuoAndOrder) rather than core Homebrew — review the tap/formula and the upstream repo for trustworthiness. Recommendations: (a) review the 'td' project's README to learn where it stores credentials and whether it uses plaintext tokens; (b) verify the Homebrew formula or build from source if you don’t trust the tap; (c) limit the Todoist API token's scope if possible and store it securely (use a dedicated token); (d) consider running the CLI in an isolated environment (container) until you confirm its behavior. If you want, I can fetch the repo/homepage and point out where the CLI stores config and how to inspect the Homebrew formula before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9728h1bd6bavksnstemreqdq98004vy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binstd

Install

Install todoist-cli via Homebrew
Bins: td
brew install LuoAndOrder/tap/todoist-cli

Comments