Tasks
v1.0.0Manage Todoist tasks using the `todoist` CLI. Add, list, and complete tasks from the command line.
⭐ 1· 1.8k·5 current·5 all-time
by@xejrax
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to 'Manage Todoist tasks' and mentions Microsoft To‑Do, which would legitimately require TODOIST_API_TOKEN or MSGRAPH_TOKEN; however the registry metadata lists no required environment variables and only requires a 'todoist' binary. That omission is inconsistent: a task-management integration normally needs one API token declared as a required credential.
Instruction Scope
SKILL.md instructs the agent to run CLI commands (todoist list/add/complete) and explicitly references TODOIST_API_TOKEN and MSGRAPH_TOKEN, but those env vars are not declared in the skill metadata. The instructions themselves do not ask the user where to obtain tokens or validate which service (Todoist vs Microsoft) will be used, giving the agent ambiguous leeway to require/expect sensitive tokens.
Install Mechanism
The install spec installs the PyPI package 'todoist-api-python' via pip. That's a plausible client library, but it's unclear whether that package actually installs a console 'todoist' binary as the skill requires; if it doesn't, the declared required binary and the install step are mismatched. Installing from PyPI is moderate risk but expected for a Python-based integration — verify the package and its entry points before running.
Credentials
The runtime docs require TODOIST_API_TOKEN or MSGRAPH_TOKEN (sensitive tokens), but the skill metadata does not declare any required env vars or a primary credential. Requesting both a Todoist token and a Microsoft Graph token is broader than necessary for a single-provider 'Tasks' skill and should be justified. Tokens like these grant access to user task data and are high-sensitivity secrets.
Persistence & Privilege
The skill does not request persistent 'always' inclusion, does not declare config paths, and has no code files that would write to disk. It appears not to request elevated or persistent platform privileges.
What to consider before installing
Proceed with caution. Before installing or enabling this skill: (1) Ask the publisher to update the skill metadata to declare exactly which environment variable(s) it needs (TODOIST_API_TOKEN and/or MSGRAPH_TOKEN). Do not set sensitive tokens until you confirm they are required and why. (2) Verify that the pip package 'todoist-api-python' actually provides a 'todoist' CLI (check the package's PyPI/GitHub page and its console_scripts entry points); if it does not, the install step will not provide the binary the skill expects. (3) If you must test, do so in a sandboxed environment and use least-privilege test tokens (revocable API tokens). (4) If the skill claims to support Microsoft To‑Do, confirm exactly what permissions the MSGRAPH_TOKEN requires — Microsoft Graph scopes can grant broad access to mailbox and files. (5) Prefer skills whose required credentials are declared in metadata and whose install source is a well-known project URL you can inspect. If the author cannot clarify these mismatches, avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddphz6vdeg070pvj2gczt7s80ecwc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✅ Clawdis
Binstodoist