ClawHub

Todoist

Security checks across malware telemetry and agentic risk

Overview

This Todoist skill mostly matches its purpose, but it includes an under-disclosed script that sends task text to a hardcoded DingTalk target.

Review before installing. Use it only if you are comfortable storing a Todoist token in ~/.openclaw/workspace, allowing the skill to update workspace task and heartbeat files, and handling local task logs. Remove or disable scripts/push-todo.sh unless you explicitly want Todoist task text sent to DingTalk target 343600.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents execution of shell scripts from the workspace but declares no required permissions, which hides its true execution capabilities from the host and the user. Undeclared shell access increases the chance that a seemingly simple task skill can perform filesystem changes or trigger other commands without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior extends beyond a simple Todoist interface into local file creation/modification, heartbeat automation, identity/config management, and possibly outbound messaging, which is materially broader than the declared description. This mismatch undermines trust boundaries: operators may enable the skill expecting task management only, while it also persists data, edits orchestration files, and installs recurring execution hooks.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script automatically reads a bearer token from a local secret file and uses it for an outbound API operation without explicit consent at execution time. In an agent-skill context, implicit credential use is risky because a seemingly local configuration action can unexpectedly exercise stored cloud privileges.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script retrieves Todoist task contents and forwards them to a different external system, DingTalk. Even if this is operationally intended, task titles often contain sensitive work or personal information, so cross-service exfiltration without explicit disclosure, scoping, or consent creates a real privacy and data-governance risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger rules are broad enough to capture many ordinary note-taking or reminder phrases and then force Todoist usage. Overbroad activation can cause unintended storage of user content in external systems, unexpected reminders, and automatic side effects such as syncs or file updates when the user may have intended only a transient note.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script performs an external API call using a locally stored Todoist token with no user warning, confirmation, or dry-run behavior. That creates a transparency and consent problem: users may believe they are only editing local agent config while the script silently authenticates to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends task contents to a hardcoded DingTalk target without any user-facing warning, approval step, or indication of what data is being transmitted. In an agent skill context, silent outbound sharing is more dangerous because users may assume the skill is limited to Todoist management, not secondary redistribution of potentially sensitive task data.

VirusTotal

No VirusTotal findings

View on VirusTotal