Microsoft To Do
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Microsoft To Do integration, but it tells the agent to use delete commands that skip confirmation for tasks and lists.
Install only if you trust the `microsoft-todo-cli` package and are comfortable storing Microsoft To Do OAuth configuration locally. Before any delete action, confirm the exact task or list and avoid relying on unstable indexes or ambiguous names.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken task name, list name, or index could cause the agent to delete Microsoft To Do items immediately.
This directs the agent to bypass confirmation for destructive delete operations, including task and list removal, which can mutate the user's Microsoft To Do account without an extra review step.
- **Always use `-y`** with `rm` commands to skip confirmation
Only allow delete commands after an explicit user request and confirmation of the exact task or list. Prefer stable IDs over names or indexes for destructive actions.
Anyone with access to the local config or token files may be able to use the configured Microsoft To Do access.
The skill requires Microsoft application credentials and OAuth tokens for account access. This is expected for Microsoft To Do management, but those credentials are sensitive.
Add your credentials to `~/.config/microsoft-todo-cli/keys.yml`: client_id: "your-application-client-id" client_secret: "your-client-secret-value"
Protect the config directory, use a dedicated app registration, revoke or rotate credentials if the device is shared or compromised, and delete tokens when no longer needed.
A compromised or changed upstream package could affect what the `todo` command does with local credentials and Microsoft To Do data.
The skill depends on an external CLI package, and no package source code is included in the artifact set for review. This is normal for this kind of integration, but it shifts trust to the upstream package.
uv | package: microsoft-todo-cli | creates binaries: todo
Install from the expected package source, review the upstream project if possible, and consider pinning a known-good package version.