Todoist
v0.2.1Manage tasks and projects in Todoist. Use when user asks about tasks, to-dos, reminders, or productivity.
⭐ 48· 17.4k·201 current·208 all-time
byMatt Russell@mjrussell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a Todoist CLI and its commands (adding, listing, completing tasks) which is coherent with the skill name and description. However, the skill's embedded metadata (in SKILL.md) lists required binary 'todoist' and env var 'TODOIST_API_TOKEN' while the registry-level metadata provided to you lists no required binaries or env vars — a clear inconsistency between what the skill claims it needs and what the registry declares.
Instruction Scope
The instructions are narrowly scoped to installing and using a Todoist CLI: installing via npm, authenticating with a Todoist API token, and running typical task-management commands. They do not instruct reading arbitrary files or exfiltrating data to third-party endpoints beyond Todoist.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md instructs 'npm install -g todoist-ts-cli@^0.2.0' — an npm global package install from the public registry (moderate-risk, expected for a CLI). This is not an arbitrary URL download, but the registry should have declared the dependency and required runtime (node/npm) — that omission is inconsistent.
Credentials
The CLI legitimately needs a Todoist API token (TODOIST_API_TOKEN) to operate. But the registry metadata you were given lists no required env vars or primary credential while the SKILL.md requires TODOIST_API_TOKEN and suggests running 'todoist auth <token>' (which typically persists credentials). The missing declaration of this credential and of where/how it will be stored is a proportionality and transparency concern.
Persistence & Privilege
The skill does not request always:true and does not require system-wide privileges. However, following its instructions will likely cause the CLI to write authentication state to disk (via 'todoist auth' or local npm package config). The registry did not declare any required config paths or note this local persistence.
What to consider before installing
What to consider before installing or using this skill:
- The SKILL.md expects you to install a third-party npm package (todoist-ts-cli) and to provide a Todoist API token. The registry metadata you were shown does not list these requirements — ask the publisher to reconcile that mismatch.
- Verify the npm package: inspect the todoist-ts-cli package on npm (maintainer, source repo, reviews, recent releases) before installing. Prefer packages with a public GitHub repo and pinned releases.
- Be careful with your API token: avoid pasting long-lived tokens into chat. If possible, use a scoped or ephemeral token, or authenticate via Todoist's official OAuth flow rather than pasting a global token. Understand where the CLI stores credentials on disk (it may persist them in your home directory).
- If you must test the skill, run the npm install and CLI in a sandboxed environment (container or VM) and inspect what files/configs it writes.
- Ask the skill author to update the registry metadata to declare required binaries (node/npm, todoist) and required env vars (TODOIST_API_TOKEN) and to include an explicit install spec or link to the package source. That will make the skill's intent and requirements transparent.
- Given the current inconsistencies, treat this skill as potentially trustworthy but unvetted; do not install or provide secrets until the provenance and install details are confirmed.Like a lobster shell, security has layers — review code before you run it.
latestvk972n5r0sdpd87j6xhmvn966ex802pc5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✅ Clawdis
Binstodoist
EnvTODOIST_API_TOKEN