Back to skill
Skillv1.0.0
ClawScan security
Todoist v1 API Reference · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewFeb 20, 2026, 6:12 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's functionality matches a Todoist API reference, but the runtime instructions require a TODOIST_TOKEN env var while the registry metadata does not declare any required credential—an inconsistency you should resolve before installing.
- Guidance
- This skill appears to be a straightforward Todoist API reference, but before installing: 1) note the SKILL.md expects a TODOIST_TOKEN environment variable while the registry metadata doesn't list any required credentials—ask the publisher to fix that mismatch or confirm how the token should be supplied; 2) only provide a minimal-scope Todoist API token (create a dedicated integration token or a throwaway/test account token), never paste your full-account password or master token; 3) be aware the skill will make outbound HTTPS calls to api.todoist.com using your token, so only install if you trust the skill source; 4) if you want tighter control, test calls manually with curl first, or run the skill in a sandboxed environment and revoke or rotate the token after testing. If the publisher cannot explain the missing credential declaration, treat the skill cautiously.
Review Dimensions
- Purpose & Capability
- noteName and description match the SKILL.md instructions (cURL examples against https://api.todoist.com/api/v1/). The operations listed are consistent with a Todoist API helper. However, the registry metadata declares no primary credential while the instructions explicitly require TODOIST_TOKEN, which is a mismatch.
- Instruction Scope
- noteSKILL.md is instruction-only and limits actions to HTTP calls (curl) to api.todoist.com and formatting JSON locally. It instructs the agent to read an environment variable TODOIST_TOKEN and to set it in shell/OpenClaw config. It does not instruct reading unrelated files or other environment variables, nor sending data to endpoints outside Todoist.
- Install Mechanism
- okNo install spec and no code files — lowest-risk instruction-only skill. No downloads, packages, or binary installs are requested.
- Credentials
- concernSKILL.md requires a personal API token in TODOIST_TOKEN, which is appropriate for this purpose, but the skill's declared requirements list no env vars or primary credential. That registry omission is an incoherence: the skill will expect a secret at runtime but doesn't advertise it. The token is sensitive (personal API token) so the discrepancy merits attention.
- Persistence & Privilege
- okalways:false and default agent invocation rules apply. The skill does not request persistent installation or elevated privileges, nor does it modify other skills or system-wide configs in the instructions (it only suggests setting an env var in shell/OpenClaw config).