todoist latest
PassAudited by ClawScan on May 1, 2026.
Overview
This skill coherently wraps the Todoist CLI, but users should trust the external CLI and be careful because it can directly change or delete Todoist tasks.
Install this only if you trust the td Todoist CLI source. When using it, be especially careful with commands that complete, edit, reopen, or delete tasks, and remember that task contents may be cached locally and shown to the agent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked for the wrong task or with an incorrect ID, the agent could change, complete, or delete Todoist tasks in the user's account.
The skill can perform direct Todoist account mutations, including completing, editing, and deleting tasks. This is aligned with the stated purpose but has real user impact.
**Writes auto-sync**: `add`, `done`, `edit`, `delete` hit the API directly
Review task IDs and intended changes before allowing destructive or account-changing actions such as delete, done, or edit.
Anyone who can invoke the skill through the agent may cause actions using the Todoist account configured for the td CLI.
The skill operates against the user's Todoist account. Account authority is expected for this integration, and the artifacts do not show credential leakage or unrelated account access.
wants to interact with their Todoist account
Authenticate the td CLI only to the intended Todoist account and revoke or rotate access if the integration is no longer needed.
Installing the external td binary gives that package code execution on the user's machine as part of normal CLI use.
The skill depends on an external CLI installed from a third-party Homebrew tap. This is central to the skill's purpose but means users must trust that external package.
brew | formula: LuoAndOrder/tap/todoist-cli | creates binaries: td
Verify the Homebrew tap or Cargo package source before installing, and keep the CLI updated from a trusted source.
Personal or work task details may be stored locally and read into agent context during task-listing operations.
Todoist task data is read from a local cache. This is expected for the CLI, but cached task data may contain private information and can become stale.
**Reads use cache**: `list`, `today`, `show` read from local cache
Use sync commands when freshness matters, and avoid placing highly sensitive information in tasks if local caching or agent visibility is a concern.