ClawHub
Back to skill

Security audit

todoist-mind

Security checks across malware telemetry and agentic risk

Overview

This Todoist skill is related to task management, but it under-discloses live account access, includes a plaintext token, and can broadly sync, list, complete, and delete Todoist data.

Review before installing. Treat this as live Todoist automation, not a mock script. Do not use the bundled token; it should be revoked or replaced with a placeholder. Only install after credential handling is corrected, broad sync and task listing are clearly disclosed or removed, and destructive actions require explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no explicit permissions while its documented behavior and metadata indicate file access and potential network/API interaction. This weakens the trust boundary for users and reviewers because the skill can handle credentials and contact external services without clear permission disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose is limited to add/complete/delete/list projects, but the analyzed behavior indicates broader data access such as syncing all resources and listing all tasks. That mismatch can lead to over-collection of user data and actions outside user expectations, which is especially risky for a task-management integration tied to personal productivity data.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation says the API token is stored in a local JSON file while the manifest declares an environment-variable requirement for the same secret. Inconsistent secret-handling instructions commonly lead to insecure storage, accidental commits, or developers placing credentials in multiple locations that are harder to protect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes a `list_tasks` command that is not declared in the skill metadata, creating a hidden capability that can reveal all task contents and associated project IDs. Undocumented data-access functionality is dangerous because reviewers and users may authorize the skill for narrower behavior than what the code actually performs.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code performs an automatic full `/sync` against Todoist before commands when `sync_on_command` is enabled, but this behavior is not described in the manifest. This broadens data access beyond the documented operations and may pull substantially more user data than needed for the requested action, violating least privilege and informed consent.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill documents destructive operations like delete and complete without explicit confirmation, warning, or discussion of reversibility. In an agent setting, this increases the chance of accidental loss or modification of user task data through misunderstood prompts or automation errors.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The instructions direct users to place an API token in a local JSON file but provide no credential-safety guidance. This encourages insecure secret storage practices, increasing the risk of accidental exposure through version control, backups, logs, or shared workspaces.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The file contains a hardcoded Todoist API token in plaintext, which is a real secret exposure vulnerability. Anyone who obtains this skill package or repository can use the token to access and manipulate the associated Todoist account, and the `sync_on_command` setting increases operational risk because commands may immediately affect remote state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
`delete_task` issues a destructive API call immediately upon receiving a task ID, with no confirmation step, preview, or safety interlock. In an agent context, ambiguous task selection or prompt/parameter mistakes can lead to irreversible deletion of user data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.