ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Todoist

Use the td (Todoist CLI) to read and manage Todoist todos/to-dos/tasks from the terminal. Trigger when the user asks about their todos/tasks/agenda/checklist (today/upcoming/overdue), wants to list inbox/tasks/projects/labels, add a task/todo with natural language, or update/complete/delete/move tasks (e.g., add a phone number to a task description, change due dates, priorities, labels).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.6k · 1 current installs · 1 all-time installs
by@mattjefferson
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the instructions: the SKILL.md exclusively documents using the td CLI to list/add/update/complete/delete Todoist tasks. There are no unrelated binaries, environment variables, or config paths requested.
Instruction Scope
Instructions are scoped to installing and using the td CLI and to safe UX (confirm before delete, ask clarifying questions). The document does not instruct reading unrelated files, exfiltrating data, or contacting unexpected endpoints.
Install Mechanism
Install steps point to the GitHub repo (https://github.com/Doist/todoist-cli) and use npm install/build/link. GitHub is a reasonable source, but npm install can run arbitrary package scripts and npm link modifies global symlinks — the user should inspect the repo/package.json before running these commands.
Credentials
The skill declares no required env vars or credentials, which is consistent with the manifest. However, the td CLI typically requires authentication (Todoist API token) or an auth flow; SKILL.md does not document how credentials are provided. This is not inherently malicious but is an omission the user should be aware of: if you supply a Todoist token to enable the CLI, the skill (agent) will be able to act on your Todoist data.
Persistence & Privilege
The skill is instruction-only, requests no persistent presence (always:false), and does not ask to modify system-wide or other-skill configs. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
Assessment
This skill appears to be what it claims: a set of instructions to use the td CLI for Todoist. Before installing or running any commands: (1) review the linked GitHub repo and its package.json/postinstall scripts to ensure nothing unexpected runs during npm install; (2) prefer installing from a vetted release or your package manager if available; (3) be aware the td CLI needs Todoist authentication — supplying your API token will let the agent operate on your tasks, so only provide it if you trust the skill; (4) follow the SKILL.md safety advice (confirm before deleting) and ask the agent to show candidate tasks before making edits. If you want higher assurance, ask the skill author for explicit authentication instructions and a signed release or use an official distribution channel.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
latestvk9775ns2k8mj27mhyrpv0qafan7zt1nq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Todoist via td CLI

Install / verify

Repo: https://github.com/Doist/todoist-cli

If td is not installed (e.g., command not found: td), install from the repo:

git clone https://github.com/Doist/todoist-cli
cd todoist-cli
npm install
npm run build
npm link

Then verify:

td --help

Use td for all Todoist operations. Prefer parseable output:

  • Use --json (or --ndjson) for listing/reading tasks.
  • Use td task update ... for edits (content, due, description, priority, labels, etc.).

Quick agenda

  • Today + overdue:
    • td today --json
  • Next N days:
    • td upcoming 7 --json
  • Inbox:
    • td inbox --json

When summarizing an agenda for the user:

  • Separate Overdue vs Due today (and optionally Upcoming).
  • Include priority (p1–p4) if present and any labels.

Find the right task to edit

Preferred approaches:

  1. If you already have the task id, use it directly:
  • Reference format: id:<taskId> (e.g., id:6WcqCcR4wF7XW5m6)
  1. If you only have a title/snippet, search/list then match:
  • td task list --json (optionally filter via other list commands like today, upcoming, inbox)
  • Then pick the correct item by content + due date + project.

To view a single task:

  • td task view <ref> --json

Common edits

Update description (notes):

  • td task update <ref> --description "..."

Update title/content:

  • td task update <ref> --content "New task title"

Change due date/time (natural language often works):

  • td task update <ref> --due "tomorrow 3pm"

Priority:

  • td task update <ref> --priority p1 (or p2/p3/p4)

Labels (replaces existing labels):

  • td task update <ref> --labels "Chores,Calls"

Complete / reopen:

  • td task complete <ref>
  • td task uncomplete id:<taskId>

Delete:

  • td task delete <ref> --yes (only if the user explicitly wants deletion)

Add tasks

Fast natural-language add:

  • td add "Call dentist tomorrow 10am p2 #Personal"

Or explicit add (when you need structured fields):

  • td task add --content "..." --due "..." --priority p2 --labels "..."

Safety / UX

  • Confirm before destructive actions (delete).
  • If multiple tasks match the user’s description, ask a clarifying question (or show candidates) before updating.
  • When the user asks to add info (e.g., a phone number), put it in the description unless they explicitly want it in the title.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…