Todoist Manager
v1.0.0Manage Todoist tasks, projects, labels, and comments via the todoist CLI wrapper. Use when a user asks to add tasks, list todos, complete items, manage projects, or interact with their Todoist account.
⭐ 1· 1.6k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The described purpose (manage Todoist via a CLI wrapper) legitimately requires a Todoist API token and tools like curl/jq or a shipped CLI. However the registry metadata lists no required environment variables, no required binaries, and there are no code files. That omission is inconsistent — a Todoist CLI skill should declare TODOIST_API_TOKEN and required binaries or include an install spec or script.
Instruction Scope
SKILL.md explicitly instructs the user/agent to set TODOIST_API_TOKEN, run chmod on ~/clawd/skills/todoist/scripts/todoist and invoke that CLI. It also states it requires curl and jq. These instructions reference a local script path that is not present in the skill bundle and access an env var not declared in metadata. The instructions are otherwise scoped to Todoist API actions (no unexpected external endpoints), but they direct filesystem changes (chmod) and execution of a local script whose provenance is unknown.
Install Mechanism
There is no install specification and no shipped code files, yet the instructions assume a CLI exists at ~/clawd/skills/todoist/scripts/todoist. This mismatch is concerning: either the skill omitted its install step or it expects the user to create or copy an executable. Without an explicit, verifiable install source, executing or chmod-ing a script at that path is risky.
Credentials
The SKILL.md requires TODOIST_API_TOKEN (reasonable for Todoist access). But the skill metadata declares no primary credential and no required env vars — an inconsistency. Requesting a single Todoist API token is proportionate to the stated purpose, but the metadata should declare it so users know what secrets are needed before install.
Persistence & Privilege
always is false and the skill doesn't request elevated system privileges. However, the instructions tell the agent to change permissions (chmod) on a file under ~/clawd/skills — this modifies the filesystem but appears limited to the skill's own path. Still verify the script's contents before making it executable. No other persistence or cross-skill configuration changes are requested.
What to consider before installing
Do not install or run this skill as-is. Key inconsistencies need resolution: the SKILL.md requires a TODOIST_API_TOKEN and a local CLI at ~/clawd/skills/todoist/scripts/todoist (and mentions curl/jq), yet the registry metadata lists no env vars, no binaries, and the skill bundle contains no script or install instructions. Before proceeding, ask the publisher for: (1) the CLI source or an explicit, verifiable install step (preferably an official release or GitHub repo), (2) the exact env vars the skill needs (TODOIST_API_TOKEN should be declared), and (3) the content of the referenced script so you can review it. If you must test, do so in a sandbox or VM, verify the script contents before running chmod/execution, and limit the API token scope / rotate it afterward. Prefer skills that declare their requirements in metadata and include a trusted install mechanism or published source code/homepage.Like a lobster shell, security has layers — review code before you run it.
latestvk97525876x6wztx7v9w63mhxnh7zkw0f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.