Todoist CLI
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Todoist CLI wrapper, but it uses a Todoist API token and can change or delete Todoist data if the user asks it to.
This skill appears safe for its stated purpose if you trust the Todoist CLI source. Before installing, understand that it will use your Todoist API token and can create, update, complete, move, comment on, or delete Todoist items when asked.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process using the configured token can access and act on the Todoist data allowed by that token.
The skill requires a Todoist API token or authenticated CLI session, which is expected for managing a user's Todoist account but grants account-level access to Todoist task data.
todoist auth <your-token> ... export TODOIST_API_TOKEN=<your-token>
Use only a token you intend to grant for Todoist automation, avoid exposing it in shared logs or prompts, and revoke it from Todoist settings if you stop using the skill.
If invoked on the wrong task or with unclear instructions, the agent could alter or remove Todoist items the user did not intend to change.
The CLI can modify, move, complete, reopen, and delete Todoist tasks. These actions are directly aligned with the skill's purpose, but they are account-mutating operations.
todoist update <task-id> --due "next monday" ... todoist delete <task-id> ... todoist move <task-id> --project "Work"
For destructive or ambiguous requests, confirm the target task/project first and prefer listing or viewing items before updating or deleting them.
Future installs could fetch a different version of the external Todoist CLI than the one described by the current skill instructions.
The install mechanism obtains an external CLI package, and the Go install path uses @latest rather than a pinned version. This is normal for CLI setup but means the installed code may change over time.
brew formula: buddyh/tap/todoist; go module: github.com/buddyh/todoist-cli/cmd/todoist@latest
Install from a source you trust, consider pinning or reviewing the CLI version, and verify the homepage/repository before providing a Todoist token.