Microsoft To Do
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Microsoft To Do integration, but it uses a Maton API key/OAuth connection and can change or delete To Do data, so approvals and account selection matter.
This skill appears purpose-aligned for managing Microsoft To Do. Install it only if you trust Maton with the connected account flow, keep MATON_API_KEY private, specify the intended connection when multiple accounts exist, and carefully review any create, update, or delete request before approving it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the Maton API key may be able to access the connected Microsoft To Do integration according to the permissions granted.
The skill requires a sensitive API key and delegated Microsoft To Do access, which is expected for the integration but should be treated as account authority.
All requests require the Maton API key in the Authorization header
Use this only with a trusted Maton account, protect the MATON_API_KEY, and revoke or rotate it if it is exposed.
If the user approves the wrong action or account, tasks or task lists could be created, changed, or deleted.
The skill exposes write and delete operations against Microsoft To Do, but it also instructs the agent to get explicit approval before using them.
All write operations require explicit user approval. Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Before approving writes, verify the Microsoft account, list name, task ID/title, and the exact intended change.
Microsoft To Do data and operations pass through a third-party API gateway, so the user is relying on Maton’s handling of OAuth and request routing.
Requests and task data are mediated by the Maton gateway before reaching Microsoft Graph, which is disclosed and central to the managed OAuth design.
Maton proxies requests to `graph.microsoft.com` and automatically injects your OAuth token.
Review Maton’s account and privacy expectations, and use the Maton-Connection header when multiple Microsoft To Do connections exist.