ClawHub

Todoist Api Rest

v1.0.0

Direct Todoist API integration via curl/jq. Lightweight, reliable, and uses working v1/v2 endpoints.

0· 487·0 current·0 all-time
by@nitsujy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared requirements: curl, jq, and TODOIST_API_TOKEN are exactly what a curl-based Todoist integration needs. No unrelated services, binaries, or excessive capabilities are requested.
Instruction Scope
The SKILL.md only instructs the agent to call official Todoist endpoints (rest/v2 and legacy api/v1) using the TODOIST_API_TOKEN in Authorization headers and to pipe results through jq. That stays within the stated purpose. Note: the docs mention an alternate token location (~/.openclaw/.secrets/todoist_token.json) which the skill may read for credentials even though no config paths were declared—this is a minor scope expansion worth noting.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by an installer. This is low-risk from an install mechanism perspective.
Credentials
The only required environment variable is TODOIST_API_TOKEN, which is appropriate for the purpose. However, SKILL.md references an alternate local secrets file path (~/.openclaw/.secrets/todoist_token.json) that is not declared under required config paths; that creates a small mismatch between declared requirements and runtime behavior. Also remember that possession of the API token grants the skill the same API access as your account (create/modify/view tasks).
Persistence & Privilege
always is false and the skill has no install or persistence actions. It does not request elevated or cross-skill configuration access.
Assessment
This is a lightweight, coherent curl/jq wrapper for the Todoist API. Before installing: 1) Only provide a Todoist API token you intend to allow this skill to use — tokens grant full API access for that account. Consider creating a separate account/token if you want isolation. 2) Confirm whether you are comfortable with the skill reading a local token file (~/.openclaw/.secrets/todoist_token.json) — if not, keep the token only in the environment and ensure file permissions. 3) Because the skill can be invoked by the agent, monitor what tasks it creates/edits and rotate the token if you stop using the skill. If you need stricter guarantees, avoid supplying your primary account token.

Like a lobster shell, security has layers — review code before you run it.

latestvk97arrrsgvsha209w0z8by4mbd827b3k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binscurl, jq
EnvTODOIST_API_TOKEN

Comments