Is todoist-api safe?

https://clawhub.ai/byungkyu/todoist-api

72
CAUTION

This skill is a Todoist API integration that routes all traffic through a third-party gateway (gateway.maton.ai) rather than connecting directly to Todoist. While the skill contains no executable code and showed no malicious clone behavior, the gateway pattern means the operator has full visibility into all user data and holds OAuth tokens for the user's Todoist account. The skill also cross-promotes additional Maton skills, expanding the data exposure surface.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH All API traffic routed through third-party gateway -30

Every API request goes to gateway.maton.ai instead of directly to api.todoist.com. The Maton gateway has full visibility into all Todoist data including tasks, projects, comments, and OAuth tokens. This creates a persistent man-in-the-middle position where the gateway operator can log, modify, or exfiltrate all data.

HIGH OAuth tokens managed by third-party service -15

The skill delegates OAuth token management to ctrl.maton.ai. Users authorize Todoist access through Maton's connect flow, meaning Maton stores and controls the user's Todoist OAuth tokens. This gives the gateway operator persistent account access even if the user revokes the MATON_API_KEY.

MEDIUM Cross-skill promotion directive in description -18

The skill description contains an instruction directing the agent to use a different skill (api-gateway) for other third-party apps. This is a soft behavioral override that extends the skill's influence beyond its stated scope, potentially leading to installation of additional Maton-controlled skills.

MEDIUM Skill contains executable code blocks the agent is expected to run -10

The SKILL.md includes multiple Python heredoc code blocks that the agent will be prompted to execute. While these are standard API examples, they normalize the pattern of the agent executing code authored by the skill publisher, which could be exploited in future skill versions.

MEDIUM Skill instructs agent to read and transmit environment variable -10

The skill instructs the agent to access MATON_API_KEY from the user's environment and include it in HTTP requests to a third-party domain. This is a form of credential forwarding that the user may not fully understand.

LOW No executable code shipped in skill package -5

The skill contains only markdown documentation, JSON metadata, and a license file. No install scripts, hooks, or executable binaries were found. This is a positive indicator.

LOW Sensitive file reads during installation from agent runtime -10

The filesystem monitor detected reads of .env, .aws/credentials, and .openclaw configuration files. These appear to originate from the host agent platform startup rather than from the skill itself, but the skill is installed in the same execution context.

INFO Gateway pattern amplifies risk with multiple skills -50

If a user installs multiple Maton skills (as the cross-promotion encourages), all API traffic for multiple services flows through the same gateway, creating a single point of compromise for all connected accounts.