Todoist
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Todoist integration that uses a Maton API key and OAuth to read and change Todoist data, with write actions explicitly requiring user approval.
Before installing, make sure you trust Maton to proxy Todoist requests and store/manage the OAuth connection. Keep MATON_API_KEY secret, use the Maton-Connection header when multiple Todoist accounts exist, and approve only the specific Todoist changes you actually want.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using the configured key can access the connected Todoist resources allowed by the OAuth connection.
The skill relies on a Maton API key and a managed OAuth connection to access the user's Todoist account. This is expected for the integration, but it grants delegated account access.
Maton proxies requests to `api.todoist.com/api/v1` and automatically injects your OAuth token. ... Authorization: Bearer $MATON_API_KEY
Only install if you trust the Maton service, keep MATON_API_KEY private, and verify the intended Todoist connection when multiple accounts are available.
If misused, the skill could alter or delete Todoist tasks, projects, labels, sections, or comments.
The skill exposes Todoist write and delete actions, but it also provides a clear approval requirement that keeps those actions user-controlled.
**All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Review each proposed write action carefully and confirm the exact resource and outcome before allowing it.
It may be harder to independently verify the publisher and service relationship before trusting the OAuth proxy and API key flow.
The package metadata does not provide a source repository or homepage, which limits provenance verification even though the skill itself is instruction-only.
Source: unknown; Homepage: none
Verify the Maton service and publisher through trusted channels before connecting a Todoist account.