4todo
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent run with this token can access the permitted 4todo API actions, including listing and changing tasks.
The skill requires a bearer token that grants access to the user's 4todo account. This is expected for the integration, but it is sensitive authority.
`FOURTODO_API_TOKEN`: your 4todo API token (Bearer token) ... Every request must include `Authorization: Bearer <token>`.
Use the narrowest token 4todo supports, inject it through a secret store or environment variable, avoid pasting it into chat, and revoke it if the skill is no longer needed.
A mistaken workspace or task choice could create, complete, move, or alter recurring task behavior in the user's 4todo account.
The skill is intended to issue API mutations that create, complete, reorder, or manage recurring todos. This is purpose-aligned, but it can change user data.
Perform the requested mutation (create / complete / reorder / recurring)
Review task and workspace names before approving changes, and ask for confirmation before broad, ambiguous, or recurring-task updates.
Users may not realize from the registry metadata alone that the skill needs curl and a 4todo API token.
The registry metadata does not declare the curl runtime dependency or the API-token credential that SKILL.md requires. The SKILL.md does disclose them, so this is a metadata completeness issue rather than hidden behavior.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Declare curl and FOURTODO_API_TOKEN in the registry metadata so users see the requirements before installation.