ClawHub

Todoist

v1.0.3

Todoist API integration with managed OAuth. Manage tasks, projects, sections, labels, and comments. Use this skill when users want to create, update, complet...

11· 7.9k·10 current·12 all-time
by@byungkyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Todoist integration with managed OAuth) matches the behavior in SKILL.md: all API calls are routed through maton.ai gateway/ctrl endpoints and the skill asks only for a Maton API key. There are no unrelated binaries, config paths, or extra credentials requested.
Instruction Scope
Runtime instructions are narrow and concrete: they show how to call gateway.maton.ai and ctrl.maton.ai using the MATON_API_KEY and how to complete OAuth via a browser URL. The instructions do not read arbitrary files, shell history, or other environment variables beyond MATON_API_KEY, nor do they direct data to unexpected endpoints outside the Maton/Todoist proxy flow.
Install Mechanism
No install spec and no code files means nothing is written to disk by the skill itself. This is the lowest-risk install posture.
Credentials
The skill requires a single env var (MATON_API_KEY), which is consistent with using Maton's managed OAuth gateway. However, this API key is sensitive: anyone holding it (or the gateway) can act on the user's Todoist connections, so trust in Maton is required. The skill does not request unrelated secrets.
Persistence & Privilege
always is false and there is no install-time writing or modification of other skills or system-wide settings. The skill does not request persistent or elevated platform privileges.
Assessment
This skill is internally consistent, but it routes Todoist access through a third‑party service (Maton). Before installing: 1) Treat MATON_API_KEY like a secret—only provide it if you trust maton.ai. 2) Verify Maton's privacy/security and what scopes are granted during the OAuth flow (the gateway will hold OAuth tokens for your Todoist account). 3) If you prefer not to route tokens through a proxy, consider using a skill that integrates directly with Todoist or one where you control the OAuth client. 4) Because the skill is instruction‑only (no local code), local filesystem risk is low, but network/third‑party trust remains the primary consideration.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fk1krtjm39g6ewbddmfda0s81g22z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvMATON_API_KEY

Comments