Todoist
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: todoist-td Version: 0.1.1 The skill instructs the AI agent to install the Todoist CLI (`td`) by cloning its official GitHub repository and running `npm install` and `npm link`. While the `todoist-cli` is a legitimate tool and the installation steps are standard, this process involves downloading and executing code from an external source (github.com/Doist/todoist-cli), which introduces a supply chain risk. This capability, found in `SKILL.md`, is considered high-risk even without clear malicious intent, as it could be exploited if the upstream repository were compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used with an authenticated td CLI, the agent can view and change Todoist tasks as requested.
The skill is intended to act on the user's Todoist account, which implies delegated account authority to read and modify task data.
Use the td (Todoist CLI) to read and manage Todoist todos/to-dos/tasks from the terminal.
Use it only with the Todoist account you intend to manage, and review task changes before confirming important edits.
A mistaken delete command could remove a Todoist task, although the instructions require explicit user intent.
The skill documents a destructive delete command that bypasses the CLI confirmation flag, but it also limits use to explicit user deletion requests.
Delete: - `td task delete <ref> --yes` (only if the user explicitly wants deletion)
Confirm the exact task before deletion and avoid using delete unless the user clearly requested it.
The behavior of the installed td CLI depends on the external repository version the user installs.
The setup instructions ask the user to clone, install, build, and link an external CLI from GitHub without pinning a reviewed commit or release.
git clone https://github.com/Doist/todoist-cli cd todoist-cli npm install npm run build npm link
Install from the official Todoist CLI source, prefer a tagged release or pinned commit, and review the repository before running npm install/build/link.