Manage tasks and projects in Todoist. Use when user asks about tasks, to-dos, reminders, or productivity.
Security Analysis
medium confidenceThe skill's runtime instructions match a Todoist CLI usage, but the registry metadata doesn't declare the npm install, required binary, or the TODOIST_API_TOKEN that the SKILL.md explicitly requires — this mismatch is concerning and should be clarified before installing or running it.
The SKILL.md describes a Todoist CLI and its commands (adding, listing, completing tasks) which is coherent with the skill name and description. However, the skill's embedded metadata (in SKILL.md) lists required binary 'todoist' and env var 'TODOIST_API_TOKEN' while the registry-level metadata provided to you lists no required binaries or env vars — a clear inconsistency between what the skill claims it needs and what the registry declares.
The instructions are narrowly scoped to installing and using a Todoist CLI: installing via npm, authenticating with a Todoist API token, and running typical task-management commands. They do not instruct reading arbitrary files or exfiltrating data to third-party endpoints beyond Todoist.
There is no formal install spec in the registry, but SKILL.md instructs 'npm install -g todoist-ts-cli@^0.2.0' — an npm global package install from the public registry (moderate-risk, expected for a CLI). This is not an arbitrary URL download, but the registry should have declared the dependency and required runtime (node/npm) — that omission is inconsistent.
The CLI legitimately needs a Todoist API token (TODOIST_API_TOKEN) to operate. But the registry metadata you were given lists no required env vars or primary credential while the SKILL.md requires TODOIST_API_TOKEN and suggests running 'todoist auth <token>' (which typically persists credentials). The missing declaration of this credential and of where/how it will be stored is a proportionality and transparency concern.
The skill does not request always:true and does not require system-wide privileges. However, following its instructions will likely cause the CLI to write authentication state to disk (via 'todoist auth' or local npm package config). The registry did not declare any required config paths or note this local persistence.
Guidance
What to consider before installing or using this skill: - The SKILL.md expects you to install a third-party npm package (todoist-ts-cli) and to provide a Todoist API token. The registry metadata you were shown does not list these requirements — ask the publisher to reconcile that mismatch. - Verify the npm package: inspect the todoist-ts-cli package on npm (maintainer, source repo, reviews, recent releases) before installing. Prefer packages with a public GitHub repo and pinned releases. - Be careful with your API token: avoid pasting long-lived tokens into chat. If possible, use a scoped or ephemeral token, or authenticate via Todoist's official OAuth flow rather than pasting a global token. Understand where the CLI stores credentials on disk (it may persist them in your home directory). - If you must test the skill, run the npm install and CLI in a sandboxed environment (container or VM) and inspect what files/configs it writes. - Ask the skill author to update the registry metadata to declare required binaries (node/npm, todoist) and required env vars (TODOIST_API_TOKEN) and to include an explicit install spec or link to the package source. That will make the skill's intent and requirements transparent. - Given the current inconsistencies, treat this skill as potentially trustworthy but unvetted; do not install or provide secrets until the provenance and install details are confirmed.
Latest Release
v0.2.1
Tweak ordering instructions
More by @mjrussell
Published by @mjrussell on ClawHub
