Back to skill

Security audit

Todozi - Your Ai Task Manager

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Todozi API connector with real account-access risk, but the risky behavior fits its task-manager purpose.

Install only if you want an agent to access and modify your Todozi account. Use a scoped Todozi API key if available, do not set TODOZI_BASE to an endpoint you do not trust, require confirmation before deletes, completions, or bulk changes, and create webhooks only for HTTPS URLs you control or explicitly trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation shows use of environment variables and outbound network access, but no declared permissions are present to make those capabilities explicit. This reduces transparency and informed consent for users or hosting systems, and can enable unexpected external communication or secret use without policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose emphasizes task and matrix management, but the behavior also includes registration, API key validation, health checks, and user-preference operations not clearly disclosed in the top-level description. Capability mismatch is dangerous because users and agents may authorize the skill for routine task management while it can also handle identity, account, or configuration-related operations with broader privacy and security implications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents delete and completion operations with no warning about irreversibility, confirmation, or safeguards. In an agent setting, this increases the risk of accidental or prompt-induced destructive actions that can remove user data or alter task state without meaningful user intent verification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Webhook creation and update send data to third-party URLs, but the documentation provides no privacy, destination-validation, or data-transmission warning. This can lead to unintended exfiltration of task metadata or event streams to attacker-controlled endpoints, especially when used by autonomous agents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client sends user task, note, goal, search, webhook, and preference data to a remote third-party API, but the LangChain tool entry points do not clearly disclose that invoking the tool will transmit potentially sensitive productivity data off-host. In an agent setting, users may assume a local tool action, so lack of disclosure can lead to unintended exfiltration of personal or business information.

VirusTotal

69/69 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.