Todoist v1 API Reference
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Todoist API reference, but it uses a personal Todoist token and includes commands that can change or delete tasks.
This skill appears safe to install as an instruction-only Todoist reference. Before using it, understand that TODOIST_TOKEN is a personal account credential and that the provided commands can create, update, complete, and delete Todoist data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this token can access and perform supported actions in the user's Todoist account.
The skill needs a personal Todoist API token to access the user's account; this is expected for Todoist API management, but it is sensitive authority and is not declared in the registry metadata.
Token stored in env var `TODOIST_TOKEN`... Token is a personal API token, not OAuth.
Only set TODOIST_TOKEN in trusted environments, revoke it if exposed, and review Todoist token permissions and account activity as needed.
If used without careful confirmation, the agent could change or delete Todoist tasks or projects the user intended to keep.
The skill documents direct API commands that can mutate Todoist data, including deleting tasks. This is aligned with task management and is presented as an example, not hidden automation.
curl -s -X DELETE "https://api.todoist.com/api/v1/tasks/TASK_ID"
Require explicit confirmation before create, update, complete, or delete operations, and prefer completing tasks over deleting them when unsure.