ClawHub

ms-todo-sync

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Microsoft To Do command-line tool; install it only if you are comfortable granting it read/write access to the Microsoft account you sign into.

Install only if you want this tool to read and modify Microsoft To Do data for the account you authenticate. Avoid using -y unless deletion intent is clear, store exports in a private path, do not enable --debug in shared logs or CI, and run logout when you want to remove the cached login.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs the agent to perform network access to Microsoft Graph, write local files for token caches and exports, and read local files, but it declares no permissions metadata. This creates a transparency and policy-enforcement gap: users or platforms may authorize or execute the skill without understanding that it can persist credentials and write task data locally.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI exposes a --create-list flag implying list creation is optional, but cmd_add creates a missing list unconditionally whenever --list is supplied. That can cause unintended state-changing actions in a user's Microsoft To Do account, especially in automation where a typo in a list name silently creates a new remote resource instead of failing safely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The export feature states that all tasks are exported to JSON but does not prominently warn that this may include sensitive task metadata such as notes, descriptions, due dates, reminders, and potentially personal or work information. A user or agent could write a plaintext local backup without appreciating the privacy risk, especially on shared systems or synced folders.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
OAuth tokens are persisted to ~/.mstodo_token_cache.json without any permission hardening or user-facing notice that long-lived credentials are being stored locally. If the file is readable by other local users, backed up insecurely, or copied from the host, an attacker may be able to reuse tokens to access or modify the victim's To Do data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Debug mode prints full request bodies and response bodies, which can expose sensitive task content, reminders, categories, and potentially detailed API error data to terminals, logs, shell history capture tools, or CI output. In a CLI handling personal productivity data, verbose payload logging materially increases the chance of accidental disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The export command writes the full task dataset, including notes and metadata, to a local JSON file without warning about local persistence or applying any protection. That can leak sensitive personal or work information through insecure filesystem permissions, accidental commits, shared directories, or endpoint backups.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal