ClawHub

Todoist API

Security checks across malware telemetry and agentic risk

Overview

This is a broad but disclosed Todoist automation skill that can read and change Todoist data when given a token.

Install this only if you want an agent to operate your Todoist account. Use a dedicated or revocable Todoist token where possible, keep the default Todoist API endpoint unless you have a specific reason, and require dry-run review before bulk, raw, sync, delete, archive, close, reopen, backup, or email-in-address operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation indicates capabilities to read environment variables, read/write files, and make network requests, but it does not declare permissions explicitly. This weakens policy enforcement and user awareness, making it easier for an agent to use sensitive capabilities such as token access and outbound API calls without clear governance.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims a bounded Todoist workflow scope, but the documented behavior includes arbitrary raw access to any Todoist API endpoint and additional capabilities like backups and email-in address management that are not clearly disclosed in the main description. This expands the operational surface beyond user expectations and can enable unintended data access or destructive actions if invoked by an agent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The raw command exposes arbitrary Todoist API paths and methods, effectively expanding the skill far beyond its declared workflow surface. In an agent setting, this weakens policy boundaries and allows prompts or downstream tooling to invoke undeclared sensitive endpoints, including destructive or privacy-impacting operations that were not anticipated by the manifest.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code implements backup listing and email-address creation/disable features that are not reflected in the stated skill description. Hidden capabilities are dangerous in agent environments because users and orchestrators may grant trust based on the manifest, while the tool can actually reach additional sensitive data or create alternate ingress channels via email-to-project/task addresses.

Missing User Warnings

Medium
Confidence
73% confidence
Finding
Archive and unarchive operations for projects execute immediately unless the caller manually uses --dry-run; they do not require a positive confirmation step like delete and bulk actions. In an agentic workflow, that increases the chance of unintended state changes from ambiguous prompts, hallucinated IDs, or mis-resolution of names.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
close-task and reopen-task are state-changing operations that complete or restore tasks without any explicit confirmation requirement. In an agent skill, these actions can materially alter the user's work state, so lack of a stronger guard increases the risk of accidental mass or individual workflow corruption from prompt misunderstanding or wrong task selection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal