Is todoist safe?
https://clawhub.ai/mjrussell/todoist
The todoist skill is a clean, documentation-only CLI wrapper for the Todoist task management service. It contains no executable code, no prompt injection attempts, no hidden instructions, and no data exfiltration mechanisms. The only notable risks are the standard npm supply chain exposure from the global package install and the expected requirement for a Todoist API token. All monitoring signals were clean.
Category Scores
Findings (5)
LOW Global npm package installation -12 ▶
The skill instructs installation of todoist-ts-cli@^0.2.0 via npm install -g. This installs a third-party npm package globally. While this is standard for CLI wrapper skills, it introduces supply chain risk as the package could be compromised in a future version within the ^0.2.0 semver range.
LOW API token stored on disk via todoist auth -8 ▶
The todoist auth <token> command persists the Todoist API token to local storage. This is standard CLI behavior and explicitly documented, but means the credential exists on disk where other skills or processes could access it.
INFO Requires TODOIST_API_TOKEN environment variable -7 ▶
The skill requires a Todoist API token which grants full read/write access to the user's Todoist account. This is expected and properly declared in the skill metadata requires.env field.
INFO Agent directed to execute shell commands -8 ▶
The skill's usage examples instruct the agent to run todoist CLI commands via shell. This is the intended and only reasonable mechanism for a CLI wrapper skill. All commands are scoped to the todoist binary with no shell metacharacter injection vectors in the documented patterns.
INFO Platform bootstrap reads sensitive paths -10 ▶
During installation, the OpenClaw platform (not the skill) read .env, .aws/credentials, and other profile files. These are platform-level reads for environment setup, not caused by the skill itself.