Tasks
PassAudited by ClawScan on May 1, 2026.
Overview
This is a mostly straightforward task-management CLI wrapper, but it uses task-account tokens and can change tasks, so users should review token scope and commands before use.
Install this only if you are comfortable letting the Todoist CLI access and modify your task account. Use a narrowly scoped token, be cautious with any MS Graph token, verify the PyPI package before installing, and review add/complete commands before allowing them to run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A token given to the CLI may let the agent view or modify tasks in the connected account; an MS Graph token may have broader account permissions depending on how it was issued.
The skill requires account tokens for task services, and the registry metadata does not declare env vars. This is expected for Todoist/Microsoft To-Do access, but users should notice the credential requirement and scope it carefully.
Requires `TODOIST_API_TOKEN` or `MSGRAPH_TOKEN` env var.
Use the narrowest possible token, prefer Todoist-only credentials if that is the intended service, and avoid providing an MS Graph token unless Microsoft To-Do access is truly needed.
If invoked, the agent can add tasks or mark existing tasks as done in the connected task account.
The documented commands can create and complete tasks, which changes account data. This is coherent with the skill's purpose and shown as user-directed command examples.
todoist add "Review PR #42" --due "2026-02-05" ... todoist complete <task_id>
Review task IDs and requested changes before allowing completion or creation commands, especially in shared or work task lists.
Installing the dependency gives local code from PyPI the ability to run in the user's Python environment.
The skill instructs the user to install an unpinned PyPI package. This is a normal setup step for a CLI-wrapper skill, but package provenance and version should be checked.
pip install todoist-api-python
Verify the package name and maintainer, consider pinning a known-good version, and install it in an isolated environment if possible.