Is fluidiguana/todoist-v1 safe?
https://github.com/openclaw/skills/tree/main/skills/fluidiguana/todoist-v1
The fluidiguana/todoist-v1 skill is a documentation-only Todoist API reference consisting of two files (SKILL.md and _meta.json) with no executable code, no npm scripts, no git hooks, and no prompt injection content. All canary honeypots passed integrity checks and observed sensitive-file reads pre-date skill installation, attributing them to the audit infrastructure. The only meaningful residual risks are the standard credential-exposure concern inherent to any env-var-based API token and the theoretical possibility of using Todoist write endpoints as a covert channel if the token is attacker-controlled.
Category Scores
Findings (4)
LOW TODOIST_TOKEN grants full Todoist account access -7 ▶
The skill stores its credential in an environment variable. A personal Todoist API token provides read and write access to all tasks, projects, and sections. If coexisting skills exfiltrate environment variables, this token is exposed. Users should treat the token as a secret and rotate it if the agent environment is shared or compromised.
LOW Write API endpoints usable as covert channel if token is attacker-controlled -7 ▶
Task creation and update operations accept free-form text. An attacker who controls the supplied TODOIST_TOKEN could receive data encoded in task content by the agent. This is a theoretical secondary-abuse vector, not an active attack in the skill as written.
INFO Canary file reads pre-date skill installation — attributed to audit infrastructure 0 ▶
Reads of .env, .ssh/id_rsa, .aws/credentials and related files appear in monitoring logs but occur before the git clone executes (1771934055 vs 1771934061). All canary files passed integrity verification.
INFO Sparse clone minimizes monorepo attack surface 0 ▶
The installer uses git sparse-checkout to fetch only the skills/fluidiguana/todoist-v1 subtree, avoiding unnecessary download of other repository contents. This is a safe installation pattern.