ClawHub

ms-todo-sync

v1.0.2

A CLI skill to manage Microsoft To Do tasks via Microsoft Graph API. Supports listing, creating, completing, deleting, searching tasks and lists, viewing overdue/today/pending tasks, and exporting data.

0· 1.2k·2 current·2 all-time
by@xiaoski
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the actual behavior: the package uses msal and requests to call Microsoft Graph, provides device-code login, and implements list/task operations. Declared dependencies (msal, requests) and Python >=3.9 are proportionate. A default public client ID is included (common for CLI tools) and is plausible for the stated purpose.
Instruction Scope
SKILL.md's runtime instructions are narrowly scoped to installing dependencies, running the CLI, and performing a device-code login flow. Instructions reference only local token cache files (~/.mstodo_token_cache.json and ~/.mstodo_device_flow.json) and Microsoft endpoints; they do not instruct reading unrelated system files, scanning environment variables, or posting data to unexpected endpoints.
Install Mechanism
There is no automated install spec in the registry entry (instruction-only), but the repository includes pyproject/requirements and a Python script. Installation is manual via uv or pip as documented — low-risk if the user inspects the code. Note: the registry entry lacking an automated install spec while shipping code is not dangerous by itself but means users must run installs themselves.
Credentials
The skill does not request environment variables or extra credentials beyond OAuth device flow, which is appropriate. It does persist token and device-flow JSON files in the user's home directory in plaintext; this is expected for a simple CLI but is sensitive (tokens grant Tasks.Read/Tasks.ReadWrite scopes) and users should protect those files and consider using their own app/client ID if desired.
Persistence & Privilege
The skill does not request elevated or platform-wide privileges, and always:false. It registers an atexit cache-save handler and writes only its own token/device-flow files under the user's home directory. It does not modify other skills or system-wide agent configs (based on visible code).
Assessment
This skill appears to be what it claims: a Microsoft To Do CLI that uses MSAL device-code flow and stores tokens locally. Before installing: (1) review the full scripts/ms-todo-sync.py file yourself (the provided file preview was truncated here), (2) run in an isolated Python virtualenv (uv or pip install -r requirements.txt) rather than globally, (3) be aware the token cache (~/.mstodo_token_cache.json) is stored unencrypted—treat it like a password and delete or revoke tokens when no longer needed, (4) if you prefer, register your own Azure AD app and supply your own client ID instead of using the built-in default, and (5) confirm network calls are only to microsoftonline.com / graph.microsoft.com during your review. If you cannot review the full code, exercise caution or request the complete source before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970znd4xnyvgrzcstmfhph56d80zr2j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments