ClawHub

Todoist Litiao

v1.0.0

Manage tasks and projects in Todoist. Use when user asks about tasks, to-dos, reminders, or productivity.

0· 141·1 current·1 all-time
by@litiao1224
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name/description (Todoist task management) align with the declared requirements (a 'todoist' CLI binary and TODOIST_API_TOKEN) and the SKILL.md commands. However, _meta.json content (different ownerId, slug, and version) does not match the registry metadata, which is a packaging/metadata inconsistency that should be confirmed with the publisher.
Instruction Scope
SKILL.md only instructs installing/running the Todoist CLI and using the Todoist API token; it does not ask the agent to read unrelated files, other environment variables, or exfiltrate data to third-party endpoints. Commands are scoped to Todoist operations.
Install Mechanism
This is an instruction-only skill (no install spec). The doc tells users to npm install -g todoist-ts-cli which is a standard way to get the 'todoist' binary but does require installing a third-party npm package globally — a moderate, expected risk. There is no packaged install URL or extract step in the registry metadata.
Credentials
Only TODOIST_API_TOKEN is required, which is appropriate for a Todoist integration. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
The skill is not always-on and is user-invocable. It does not request elevated platform persistence or modification of other skills or system config.
Assessment
This skill appears to do what it says: it runs the Todoist CLI and needs your TODOIST_API_TOKEN. Before installing or providing a token: 1) verify the npm package 'todoist-ts-cli' and its publisher (installing global npm packages runs third-party code). 2) Confirm the skill source/owner — the included _meta.json has different owner/slug/version than the registry entry, which could indicate a packaging error or repackaging. 3) Use a Todoist token with the minimum necessary scope and treat it like a secret. 4) If you prefer lower risk, install the CLI in a contained environment (container/VM) rather than globally on your machine.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799ctwjby44ef5enpxmv1wp18323pa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binstodoist
EnvTODOIST_API_TOKEN

Comments