Todoist 任务可见性管理
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a real Todoist helper, but it uses a Todoist API token with a very broad API wrapper that can change account data without built-in limits.
Review before installing. This skill appears focused on Todoist task management, but only use it if you are comfortable giving the agent a Todoist API token and allowing it to create or update tasks. Prefer adding endpoint limits or confirmation prompts before using the generic API wrapper, and store any local token config file securely.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could perform Todoist API actions beyond simple status tracking, potentially changing account task data in unintended ways.
The wrapper lets the agent choose the HTTP method, endpoint, and request body for the Todoist API using the user's token, without an endpoint allowlist or confirmation step.
METHOD="$1"
ENDPOINT="$2"
DATA="$3"
URL="${API_BASE}/${ENDPOINT}"Restrict the wrapper to the specific Todoist operations needed by the skill, and require explicit user confirmation for destructive, bulk, or account-wide changes.
Anyone or anything with access to this token may be able to read or modify Todoist data according to the token's permissions.
The skill requires a Todoist API token to access the user's Todoist account. This is expected for the stated purpose, but it is sensitive account authority.
export TODOIST_TOKEN="your-api-token"
Use only a token you trust the agent to use, avoid sharing logs containing the token, and rotate the token if it may have been exposed.
The skill may fail or behave inconsistently if the expected local tools are unavailable.
The skill documents runtime dependencies, but the registry metadata lists no required binaries. This is an under-declared setup requirement rather than hidden installation behavior.
所有脚本需要 `curl` 和 `jq` 工具
Confirm curl and jq are installed before use, and update the skill metadata to declare these requirements.